DEV Community: Vardan Matevosian The latest articles on DEV Community by Vardan Matevosian (@vardan_matevosian_tech). https://dev.to/vardan_matevosian_tech https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3641843%2Fe2efae7c-08f5-4b2d-b8c1-7f4d98e6ed96.jpg DEV Community: Vardan Matevosian https://dev.to/vardan_matevosian_tech en Is OpenAI really running ChatGPT on a single PostgreSQL instance? Vardan Matevosian Tue, 27 Jan 2026 09:12:10 +0000 https://dev.to/vardan_matevosian_tech/is-openai-really-running-chatgpt-on-a-single-postgresql-instance-24b4 https://dev.to/vardan_matevosian_tech/is-openai-really-running-chatgpt-on-a-single-postgresql-instance-24b4 <p>The headline of OpenAI’s recent article <a href="https://openai.com/index/scaling-postgresql/" rel="noopener noreferrer">https://openai.com/index/scaling-postgresql/</a> feels a bit clickbaity, <br> If they truly used only one database instance, ChatGPT would’ve been dead on arrival.</p> <p>But the reality is far more impressive: they’re using the right tool for each layer of the persistent stack:</p> <ul> <li><p>They push PostgreSQL to its absolute limits, with a single primary writer, yes, but backed by nearly 50 read replicas across global regions.</p></li> <li><p>For write-heavy workloads, they’ve wisely migrated to sharded systems like Azure Cosmos DB.</p></li> <li> <p>They’ve added layers of resilience:</p> <ul> <li> connection pooling with PgBouncer,</li> <li> query rate limiting,</li> <li> caching with lock leasing,</li> <li> cascading replication (in testing),</li> <li> strict schema-change policies.</li> </ul> </li> </ul> <p>It’s not magic, it’s mature, thoughtful engineering at scale.</p> <p>If you work with databases, this post is absolutely worth reading.</p> sql openai postgres chatgpt The second-highest salary: Why the simplest SQL query is often the smartest Vardan Matevosian Tue, 13 Jan 2026 09:51:22 +0000 https://dev.to/vardan_matevosian_tech/the-second-highest-salary-why-the-simplest-sql-query-is-often-the-smartest-3jod https://dev.to/vardan_matevosian_tech/the-second-highest-salary-why-the-simplest-sql-query-is-often-the-smartest-3jod <p><strong>Spoiler</strong>: That elegant two-line <code>MAX()</code> subquery? It’s not just clever—it’s <em>correct</em>, <em>portable</em>, and often <em>faster</em> than fancier alternatives.</p> <p>When interviewing for backend or data roles, you’ve probably seen this classic problem: <em>“Find the second highest salary from the <code>Employee</code> table. If there is no second highest salary, return <code>NULL</code>”.</em></p> <p>It also appears in LeetCode #176 and similar coding challenge sites.</p> <p>The solution seems trivial until you consider duplicates, performance, edge cases, and real-world database behavior.</p> <p>In this deep dive, we’ll compare three common approaches, expose hidden pitfalls, and reveal why <strong>the simplest solution is frequently the best</strong>, especially when correctness and portability matter.</p> <p> </p> <h2> The problem and sample data </h2> <p>We’re given an <code>employee</code> table:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>id</th> <th>name</th> <th>salary</th> <th>department_id</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Ivan</td> <td>1000.1234</td> <td>1</td> </tr> <tr> <td>2</td> <td>Anna</td> <td>1500.1234</td> <td>1</td> </tr> <tr> <td>3</td> <td>Oleg</td> <td>2200.1234</td> <td>2</td> </tr> <tr> <td>4</td> <td>Maria</td> <td>2200.1234</td> <td>2</td> </tr> <tr> <td>5</td> <td>David</td> <td>2000.5678</td> <td>2</td> </tr> </tbody> </table></div> <p> </p> <p><strong>Expected result</strong>: 2000.5678</p> <p><strong>Problem statement</strong>: Find the <strong>second highest distinct salary</strong> from the <code>employee</code> table.</p> <p><strong>Key requirement</strong>: Return NULL if fewer than <strong>two distinct salaries</strong> exist (e.g., all employees earn the same).</p> <p>This isn’t about the “second row” — it’s about the <strong>second highest <em>distinct</em> value</strong>.</p> <p> </p> <h2> Three common solutions compared </h2> <p> </p> <h3> METHOD 1: <code>MAX()</code> + Subquery </h3> <p> <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">MAX</span><span class="p">(</span><span class="n">salary</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">employee</span> <span class="k">WHERE</span> <span class="n">salary</span> <span class="o">&lt;</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">MAX</span><span class="p">(</span><span class="n">salary</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">employee</span><span class="p">);</span> </code></pre> </div> <p> </p> <p><strong>Why it works</strong>:</p> <ul> <li>Inner query finds the global max.</li> <li>Outer query finds the max among values strictly less than that.</li> <li>Naturally returns <code>NULL</code> if no such value exists.</li> <li>Handles duplicates implicitly—no extra logic needed.</li> </ul> <p><strong>Performance</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Time Complexity</th> </tr> </thead> <tbody> <tr> <td>No index</td> <td>O(N)</td> </tr> <tr> <td>With index</td> <td>O(log N + c)</td> </tr> </tbody> </table></div> <blockquote> <p><code>c</code> = small constant (rows scanned after max; usually 1–few)<br>  </p> </blockquote> <p><strong>PROS</strong></p> <ul> <li>Correct by design</li> <li>Returns <code>NULL</code> as required</li> <li>Works on any SQL database (even SQLite!)</li> </ul> <p><strong>CONS</strong></p> <ul> <li>Not easily extensible to “3rd highest” or “top 5”</li> </ul> <p><strong>Verdict</strong>: Best for this exact problem. Simple, safe, and scalable.</p> <p> </p> <h3> METHOD 2: <code>DISTINCT</code> + <code>ORDER BY</code> + <code>OFFSET</code> </h3> <p> <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">DISTINCT</span> <span class="n">salary</span> <span class="k">FROM</span> <span class="n">employee</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">salary</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p> </p> <p><strong>Note:</strong> Without DISTINCT, this returns the second row, not the second distinct salary. So we must include DISTINCT.</p> <p><strong>Performance reality</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Database Version</th> <th>Time Complexity</th> </tr> </thead> <tbody> <tr> <td>MySQL ≥ 8.0 / PostgreSQL ≥ 13</td> <td>O(k log N)</td> </tr> <tr> <td>Older versions</td> <td>O(N)</td> </tr> <tr> <td>No index</td> <td>O(N log N)</td> </tr> </tbody> </table></div> <p> </p> <p>O(k log N) - only if skip scan (MySQL) or index skip scan (PostgreSQL) is used</p> <p> </p> <p><strong>PROS</strong></p> <ul> <li>Clean syntax</li> <li>Very fast on modern DBs with proper indexes</li> </ul> <p><strong>CONS</strong></p> <ul> <li>Fails silently on older databases (full scan!)</li> <li>Returns empty result, not <code>NULL</code>—your app must handle it</li> <li>Requires <code>DESC</code> index for best performance</li> <li> <code>DISTINCT</code> can be expensive if skip scan isn’t available</li> </ul> <p><strong>Verdict</strong>: Great only if you control your DB version and handle empty results.</p> <p> </p> <h3> Method 3: <code>DENSE_RANK()</code> Window Function </h3> <p> <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">salary</span> <span class="k">FROM</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">salary</span><span class="p">,</span> <span class="n">DENSE_RANK</span><span class="p">()</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">ORDER</span> <span class="k">BY</span> <span class="n">salary</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">AS</span> <span class="n">place</span> <span class="k">FROM</span> <span class="n">employee</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">emp</span> <span class="k">WHERE</span> <span class="n">place</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> </code></pre> </div> <p> </p> <p><strong>Flexible?</strong></p> <p>Note:</p> <ul> <li>DENSE_RANK() properly handles ties (e.g., two people at rank 1 with the same salary, next is rank 2).</li> <li>But returns an empty set, not <code>NULL</code>, so you’d need to wrap in MAX() to comply with requirements, or handle it in the application code.</li> </ul> <p><strong>Performance</strong>:</p> <ul> <li>Always O(N log N) due to sorting, even with an index.</li> <li>Most databases compute ranks for all rows, even if you only need rank=2.</li> </ul> <p><strong>Pros</strong>:</p> <ul> <li>Highly flexible (easy to get 3rd, 10th, etc.)</li> <li>Handles complex ranking scenarios</li> </ul> <p><strong>Cons</strong>:</p> <ul> <li>Overhead for a simple task</li> <li>Doesn’t return NULL natively</li> <li>Not supported in older DBs (e.g., MySQL &lt; 8.0)</li> </ul> <p><strong>Verdict</strong>: Save this for when you truly need ranking logic, not scalar results.</p> <p> </p> <h2> H2H comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Correct?</th> <th>Returns <code>NULL</code>?</th> <th>Handles Duplicates?</th> <th>Portable?</th> <th>Best Use Case</th> </tr> </thead> <tbody> <tr> <td>&lt;MAX() + Subquery</td> <td>Yes</td> <td>Yes&lt;</td> <td>Yes</td> <td>Yes</td> <td>Second highest (exact match)</td> </tr> <tr> <td>DISTINCT + OFFSET</td> <td>Yes</td> <td>No</td> <td>Yes</td> <td>Modern DBs only</td> <td>Top-N distinct (with skip scan)</td> </tr> <tr> <td>DENSE_RANK()</td> <td>Yes</td> <td>No</td> <td>Yes</td> <td>Newer DBs</td> <td>Flexible ranking with ties</td> </tr> </tbody> </table></div> <p> </p> <h2> Key takeaways </h2> <ol> <li><p><strong>Favor correctness, clever code can wait</strong><br><br> The MAX() subquery satisfies the specification exactly: it returns <code>NULL</code> when appropriate and naturally ignores duplicates.</p></li> <li><p><strong>Don’t trust OFFSET for “Nth highest”</strong><br><br> Without DISTINCT, it’s wrong. Even with DISTINCT, it’s not portable and may be slow on older systems.</p></li> <li><p><strong>Index is not meant for automatic speed</strong><br><br> A DESC index helps—but only if your database supports skip scans (MySQL 8.0+ or PostgreSQL 13+). Otherwise, you’re scanning millions of rows for two values.</p></li> <li><p><strong>Window functions aren’t always better</strong><br><br> They’re powerful, but introduce unnecessary overhead for simple scalar problems.</p></li> </ol> <p> </p> <h2> Final recommendation </h2> <p>For the “second-highest salary” problem, use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">MAX</span><span class="p">(</span><span class="n">salary</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">employee</span> <span class="k">WHERE</span> <span class="n">salary</span> <span class="o">&lt;</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">MAX</span><span class="p">(</span><span class="n">salary</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">employee</span><span class="p">);</span> </code></pre> </div> <p> </p> <p>It’s:</p> <ul> <li>Correct</li> <li>NULL-safe</li> <li>Portable</li> <li>Efficient</li> <li>Readable</li> </ul> <p> </p> <p>Use DISTINCT, OFFSET, and DENSE_RANK() for problems that truly require their flexibility.</p> <p><strong>Remember</strong>: In SQL, a shorter query doesn’t always run faster, what really matters is writing one that’s clear, accurate, and does exactly what you intend.</p> <p> <br>  </p> <p>Originally published on my personal blog: <a href="https://matevosian.tech/blog/post/database_sql_second_highest_salary" rel="noopener noreferrer">https://matevosian.tech/blog/post/database_sql_second_highest_salary</a></p> <p> <br>  </p> sql leetcode database programming Application security: thinking backwards Vardan Matevosian Wed, 07 Jan 2026 12:25:24 +0000 https://dev.to/vardan_matevosian_tech/application-security-thinking-backwards-2756 https://dev.to/vardan_matevosian_tech/application-security-thinking-backwards-2756 <p>📜 Developers often focus on what library or what tool they can use to secure their microservices. Modern tools are powerful nowadays, but you can’t be sure all doors are locked if you have never looked at them from the other side.<br> To truly protect an application, you must first learn how it can be attacked.</p> <p>Thinking like an ethical hacker helps you understand:<br> 🕵️‍♂️ How can your application be invaded?<br> 🕵️‍♂️ Where sensitive data can be leaked?<br> 🕵️‍♂️ What weak points can be exploited?<br> 🕵️‍♂️ How attackers chain small issues into real threats?</p> <p>The OWASP community plays a huge role here. The OWASP Top 10 list of grouped vulnerabilities provides clear explanations of the most common vulnerabilities, how to test for them, and, most importantly, how to mitigate them.</p> <p>But theory alone is not enough.<br> There are excellent platforms where you can practice ethical hacking in a secure environment and understand how vulnerabilities behave in real-world scenarios. One of my favorites is PortSwigger Academy. You can choose a specific vulnerability, exploit it step by step, and then draw parallels to your own application.</p> <p>This practical approach helps you see security not as an abstract concept, but as something that directly affects your users.<br> The main goals are:<br> 🔦 prevent attacks before they happen <br> 🔦 protect our users <br> 🔦 let the users and us, not just go to sleep, but get some well-needed shut-eye 🏆🎬, knowing the doors are locked.</p> <p>PortSwigger Academy - <a href="https://portswigger.net/web-security" rel="noopener noreferrer">https://portswigger.net/web-security</a></p> <p>PortSwigger also developed the BurpSuite DAST (Dynamic Application Security Testing) tool. Burp Suite is a set of tools used for penetration testing of web applications. </p> <p>SAST, in combination with DAST tools, provides a more comprehensive security posture by identifying vulnerabilities in both the source code and the running application, enabling earlier detection, improved coverage, and reduced risk in production.</p> owasp portswigger burpsuite security Application Security with OAuth 2.0 and OpenID Vardan Matevosian Sun, 28 Dec 2025 17:35:10 +0000 https://dev.to/vardan_matevosian_tech/application-security-with-oauth-20-and-openid-2ip1 https://dev.to/vardan_matevosian_tech/application-security-with-oauth-20-and-openid-2ip1 <p>📜 After years of diving deep into application security, I wanted to share what I had learned with others.</p> <p>That experience sparked an idea: why not create a course that brings together all the practical knowledge I wish I had when I started?</p> <p>And that’s how my Udemy course “Application Security with OAuth 2.0 and OpenID” was born – a step-by-step guide for developers to understand security and get into these standards from a practical, hands-on perspective, and act like a hacker to see the other side.</p> <p>The goal is simple: help others build safer applications, protect users, and understand the OAuth 2.0 and OpenID standards.</p> <p>Security isn’t just a topic to learn; it’s a mindset. And I wanted to make that mindset accessible to every developer.</p> <p>If you are interested, here is the course link: <a href="http://udemy.com/course/application-security-with-oauth-2-and-openid" rel="noopener noreferrer">http://udemy.com/course/application-security-with-oauth-2-and-openid</a></p> security udemy oauth development Java Interface Evolution: Best Practices and Strategies Vardan Matevosian Sat, 27 Dec 2025 11:29:12 +0000 https://dev.to/vardan_matevosian_tech/java-interface-evolution-best-practices-and-strategies-44e1 https://dev.to/vardan_matevosian_tech/java-interface-evolution-best-practices-and-strategies-44e1 <p> <br>  </p> <h2> Introduction </h2> <p>In this post we will explore the evolution of Java interfaces, focusing on features introduced in Long-Term Support (LTS) releases since Java 8. <br> We will examine how these features have enhanced interface design.</p> <p> <br>  </p> <h3> Timeline navigation </h3> <ul> <li>Java 8 (March 2014)</li> <li>Java 11 (September 2018)</li> <li>Java 17 (September 2021)</li> <li>Java 21 (September 2023)</li> </ul> <p> </p> <center id="march-2014---java-8"><b>📍</b></center> <center><b>March 2014 - Java 8</b></center> <center><b>The Functional Revolution<b></b></b></center> <p> </p> <p>Java 8 revolutionized interfaces by allowing them to include non-abstract methods, enabling backward-compatible API evolution and supporting functional programming via functional interfaces.</p> <p> </p> <p>New interface features:</p> <ul> <li> <strong>Default methods (default keyword)</strong> – provide concrete implementations.</li> <li> <strong>Static methods</strong> in interfaces.</li> <li> <strong>Functional interfaces</strong> – interfaces with exactly one abstract method (used with lambdas). </li> </ul> <p>  <br>   </p> <h3> Default methods </h3> <p>Java 8 introduced a significant change to interfaces: the ability to define method implementations directly within the interface using the default keyword. This feature addresses the "interface evolution problem", where adding a new method to an existing interface would break all implementing classes.</p> <p>Before Java 8, any change to an interface required all implementing classes to be modified to provide an implementation for the new method. This was a major obstacle to evolving APIs, as it could lead to widespread code changes and potential compatibility issues. Default methods provide a way to add new functionality to an interface without breaking existing implementations.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">MyInterface</span> <span class="o">{</span> <span class="kt">void</span> <span class="nf">existingMethod</span><span class="o">();</span> <span class="k">default</span> <span class="kt">void</span> <span class="nf">newDefaultMethod</span><span class="o">()</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"This is a default method."</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyClass</span> <span class="kd">implements</span> <span class="nc">MyInterface</span> <span class="o">{</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">existingMethod</span><span class="o">()</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"Implementing existing method."</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// No need to implement newDefaultMethod() unless specific behavior is desired</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">someMethod</span><span class="o">()</span> <span class="o">{</span> <span class="n">newDefaultMethod</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Real JDK example of default method </h3> <p> </p> <p><span>Interface:</span> <strong><code>java.util.List</code></strong><br>  </p> <p><span>Purpose:</span> Sort the list in place using a Comparator.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">List</span><span class="o">&lt;</span><span class="no">E</span><span class="o">&gt;</span> <span class="kd">extends</span> <span class="nc">Collection</span><span class="o">&lt;</span><span class="no">E</span><span class="o">&gt;</span> <span class="o">{</span> <span class="k">default</span> <span class="kt">void</span> <span class="nf">sort</span><span class="o">(</span><span class="nc">Comparator</span><span class="o">&lt;?</span> <span class="kd">super</span> <span class="no">E</span><span class="o">&gt;</span> <span class="n">c</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">sort</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="n">c</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">list</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"banana"</span><span class="o">,</span> <span class="s">"apple"</span><span class="o">,</span> <span class="s">"cherry"</span><span class="o">));</span> <span class="n">list</span><span class="o">.</span><span class="na">sort</span><span class="o">(</span><span class="nc">Comparator</span><span class="o">.</span><span class="na">naturalOrder</span><span class="o">());</span> <span class="c1">// Output: [apple, banana, cherry]</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">list</span><span class="o">);</span> </code></pre> </div> <p> </p> <p> </p> <p><span>Interface:</span> <strong><code>java.lang.Iterable</code></strong><br>  </p> <p><span>Purpose:</span> Enables concise iteration with lambdas.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Iterable</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="k">default</span> <span class="kt">void</span> <span class="nf">forEach</span><span class="o">(</span><span class="nc">Consumer</span><span class="o">&lt;?</span> <span class="kd">super</span> <span class="no">T</span><span class="o">&gt;</span> <span class="n">action</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Objects</span><span class="o">.</span><span class="na">requireNonNull</span><span class="o">(</span><span class="n">action</span><span class="o">);</span> <span class="k">for</span> <span class="o">(</span><span class="no">T</span> <span class="n">t</span> <span class="o">:</span> <span class="k">this</span><span class="o">)</span> <span class="o">{</span> <span class="n">action</span><span class="o">.</span><span class="na">accept</span><span class="o">(</span><span class="n">t</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">list</span> <span class="o">=</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"apple"</span><span class="o">,</span> <span class="s">"banana"</span><span class="o">,</span> <span class="s">"cherry"</span><span class="o">);</span> <span class="n">list</span><span class="o">.</span><span class="na">forEach</span><span class="o">(</span><span class="n">item</span> <span class="o">-&gt;</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">item</span><span class="o">));</span> </code></pre> </div> <p> </p> <p> </p> <p><span>Interface:</span> <strong><code>java.util.Map</code></strong><br>  </p> <p><span>Purpose:</span> Java 8 added several useful default methods to the Map interface.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="o">{</span> <span class="k">default</span> <span class="no">V</span> <span class="nf">getOrDefault</span><span class="o">(</span><span class="nc">Object</span> <span class="n">key</span><span class="o">,</span> <span class="no">V</span> <span class="n">defaultValue</span><span class="o">)</span> <span class="o">{</span> <span class="no">V</span> <span class="n">v</span><span class="o">;</span> <span class="k">return</span> <span class="o">(((</span><span class="n">v</span> <span class="o">=</span> <span class="n">get</span><span class="o">(</span><span class="n">key</span><span class="o">))</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">||</span> <span class="n">containsKey</span><span class="o">(</span><span class="n">key</span><span class="o">))</span> <span class="o">?</span> <span class="n">v</span> <span class="o">:</span> <span class="n">defaultValue</span><span class="o">;</span> <span class="o">}</span> <span class="k">default</span> <span class="no">V</span> <span class="nf">putIfAbsent</span><span class="o">(</span><span class="no">K</span> <span class="n">key</span><span class="o">,</span> <span class="no">V</span> <span class="n">value</span><span class="o">)</span> <span class="o">{</span> <span class="no">V</span> <span class="n">v</span> <span class="o">=</span> <span class="n">get</span><span class="o">(</span><span class="n">key</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">v</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">v</span> <span class="o">=</span> <span class="n">put</span><span class="o">(</span><span class="n">key</span><span class="o">,</span> <span class="n">value</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">v</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// Other default methods like remove, replace, compute, merge, etc.</span> <span class="o">}</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">map</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="n">map</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"apple"</span><span class="o">,</span> <span class="mi">1</span><span class="o">);</span> <span class="nc">Integer</span> <span class="n">i</span> <span class="o">=</span> <span class="n">map</span><span class="o">.</span><span class="na">getOrDefault</span><span class="o">(</span><span class="s">"banana"</span><span class="o">,</span> <span class="mi">0</span><span class="o">);</span> <span class="c1">// i will be 0 since "banana" is not in the map</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">i</span><span class="o">);</span> </code></pre> </div> <p> </p> <p> </p> <h3> Static methods </h3> <p>Java 8 also introduced static methods in interfaces, <br> allowing developers to define utility methods that are related to the interface but do not require an instance of the implementing class to be invoked. <br> This feature helps organize code better and provides a way to group related functionality.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">MyInterface</span> <span class="o">{</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">utilityMethod</span><span class="o">()</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"This is a static method in the interface."</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyClass</span> <span class="kd">implements</span> <span class="nc">MyInterface</span> <span class="o">{</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">someMethod</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Calling the static method</span> <span class="nc">MyInterface</span><span class="o">.</span><span class="na">utilityMethod</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> </p> <p> </p> <h3> Real JDK example of static method </h3> <p> </p> <p><span>Interface:</span> <strong><code>java.util.Collections</code></strong><br>  </p> <p><span>Purpose:</span> Provides utility methods for collection operations.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Collections</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nc">List</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nf">emptyList</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;)</span> <span class="no">EMPTY_LIST</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">empty</span> <span class="o">=</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">emptyList</span><span class="o">();</span> <span class="c1">// Output: []</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">empty</span><span class="o">);</span> </code></pre> </div> <p> </p> <p> </p> <p><span>Interface:</span> <strong><code>java.util.Map</code></strong><br>  </p> <p><span>Purpose:</span> Provides utility methods when using Map like "of()" method.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">static</span> <span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="nf">of</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="o">}</span> <span class="kd">static</span> <span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="nf">of</span><span class="o">(</span><span class="no">K</span> <span class="n">k1</span><span class="o">,</span> <span class="no">V</span> <span class="n">v1</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="no">K</span><span class="o">,</span> <span class="no">V</span><span class="o">&gt;</span> <span class="n">map</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="n">map</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">k1</span><span class="o">,</span> <span class="n">v1</span><span class="o">);</span> <span class="k">return</span> <span class="n">map</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// Additional overloaded of() methods for more key-value pairs</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">map</span> <span class="o">=</span> <span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"apple"</span><span class="o">,</span> <span class="mi">1</span><span class="o">,</span> <span class="s">"banana"</span><span class="o">,</span> <span class="mi">2</span><span class="o">);</span> <span class="c1">// Output: {apple=1, banana=2}</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">map</span><span class="o">);</span> </code></pre> </div> <p> </p> <p> </p> <h3> Functional interfaces </h3> <p>Java 8 introduced the concept of functional interfaces, which are interfaces that contain exactly one abstract method. <br> This feature is crucial for enabling lambda expressions and method references, allowing for more concise and expressive code.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">MyFunctionalInterface</span> <span class="o">{</span> <span class="kt">void</span> <span class="nf">singleAbstractMethod</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">MyFunctionalInterface</span> <span class="n">func</span> <span class="o">=</span> <span class="o">()</span> <span class="o">-&gt;</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"Lambda expression implementation."</span><span class="o">);</span> <span class="c1">// Output: Lambda expression implementation.</span> <span class="n">func</span><span class="o">.</span><span class="na">singleAbstractMethod</span><span class="o">();</span> </code></pre> </div> <p> </p> <p> </p> <h3> Real JDK example of functional interface </h3> <p> </p> <p>The java.util.function package was added in Java 8 and contains dozens of general-purpose functional interfaces. <br> Here are the most widely used ones—with real usage examples:<br>  </p> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function.Predicate&lt;T&gt;</code></strong><br>  </p> <p><span>Purpose:</span> Represents a boolean-valued function of one argument.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Predicate</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="nf">test</span><span class="o">(</span><span class="no">T</span> <span class="n">t</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Predicate</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">isEmpty</span> <span class="o">=</span> <span class="n">str</span> <span class="o">-&gt;</span> <span class="n">str</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">();</span> <span class="c1">// Output: true</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">isEmpty</span><span class="o">.</span><span class="na">test</span><span class="o">(</span><span class="s">""</span><span class="o">));</span> <span class="c1">// Output: false</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">isEmpty</span><span class="o">.</span><span class="na">test</span><span class="o">(</span><span class="s">"hello"</span><span class="o">));</span> </code></pre> </div> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function.Function&lt;T, T&gt;</code></strong><br>  </p> <p><span>Purpose:</span> Represents a function that accepts one argument and produces a result.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="no">T</span><span class="o">,</span> <span class="no">R</span><span class="o">&gt;</span> <span class="o">{</span> <span class="no">R</span> <span class="nf">apply</span><span class="o">(</span><span class="no">T</span> <span class="n">t</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">stringLength</span> <span class="o">=</span> <span class="n">str</span> <span class="o">-&gt;</span> <span class="n">str</span><span class="o">.</span><span class="na">length</span><span class="o">();</span> <span class="c1">// Output: 5</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">stringLength</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="s">"hello"</span><span class="o">));</span> <span class="c1">// Output: 0</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">stringLength</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="s">""</span><span class="o">));</span> </code></pre> </div> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function.Consumer&lt;T&gt;</code></strong><br>  </p> <p><span>Purpose:</span> Represents an operation that accepts a single input argument and returns no result.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Consumer</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kt">void</span> <span class="nf">accept</span><span class="o">(</span><span class="no">T</span> <span class="n">t</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Consumer</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">print</span> <span class="o">=</span> <span class="n">str</span> <span class="o">-&gt;</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">str</span><span class="o">);</span> <span class="c1">// Output: hello</span> <span class="n">print</span><span class="o">.</span><span class="na">accept</span><span class="o">(</span><span class="s">"hello"</span><span class="o">);</span> <span class="c1">// Output: world</span> <span class="n">print</span><span class="o">.</span><span class="na">accept</span><span class="o">(</span><span class="s">"world"</span><span class="o">);</span> </code></pre> </div> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function.Supplier&lt;T&gt;</code></strong><br>  </p> <p><span>Purpose:</span> Represents a supplier of results.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">Supplier</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="no">T</span> <span class="nf">get</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Supplier</span><span class="o">&lt;</span><span class="nc">Double</span><span class="o">&gt;</span> <span class="n">randomValue</span> <span class="o">=</span> <span class="o">()</span> <span class="o">-&gt;</span> <span class="nc">Math</span><span class="o">.</span><span class="na">random</span><span class="o">();</span> <span class="c1">// Output: Random double value</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">randomValue</span><span class="o">.</span><span class="na">get</span><span class="o">());</span> <span class="c1">// Output: Another random double value</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">randomValue</span><span class="o">.</span><span class="na">get</span><span class="o">());</span> </code></pre> </div> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function.UnaryOperator&lt;T&gt; (extends Function&lt;T, T&gt;)</code></strong><br>  </p> <p><span>Purpose:</span> Represents a function that takes one argument and returns a result of the same type.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UnaryOperator</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="kd">extends</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="no">T</span><span class="o">,</span> <span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">UnaryOperator</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">square</span> <span class="o">=</span> <span class="n">x</span> <span class="o">-&gt;</span> <span class="n">x</span> <span class="o">*</span> <span class="n">x</span><span class="o">;</span> <span class="c1">// Output: 25</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">square</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="mi">5</span><span class="o">));</span> <span class="c1">// Output: 0</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">square</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="mi">0</span><span class="o">));</span> </code></pre> </div> <p> </p> <p><span>Interface:</span> <strong><code>java.util.function. BinaryOperator&lt;T&gt; (extends BiFunction&lt;T, T, T&gt;)</code></strong><br>  </p> <p><span>Purpose:</span> Represents an operation upon two operands of the same type, producing a result of the same type.<br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@FunctionalInterface</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">BinaryOperator</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="kd">extends</span> <span class="nc">BiFunction</span><span class="o">&lt;</span><span class="no">T</span><span class="o">,</span> <span class="no">T</span><span class="o">,</span> <span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">BinaryOperator</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">add</span> <span class="o">=</span> <span class="o">(</span><span class="n">x</span><span class="o">,</span> <span class="n">y</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">x</span> <span class="o">+</span> <span class="n">y</span><span class="o">;</span> <span class="c1">// or</span> <span class="nc">BinaryOperator</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">&gt;</span> <span class="n">addWithMethodReference</span> <span class="o">=</span> <span class="nl">Integer:</span><span class="o">:</span><span class="n">sum</span><span class="o">;</span> <span class="c1">// Output: 15</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">add</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">10</span><span class="o">));</span> <span class="c1">// Output: 0</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">addWithMethodReference</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="mi">0</span><span class="o">,</span> <span class="mi">0</span><span class="o">));</span> </code></pre> </div> <p> </p> <p>Some of the interfaces that was lunched before Java 8, updated to be functional interfaces:</p> <p> <br>  </p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Interface</th> <th>Package</th> <th>Abstract Method</th> <th>Common Use</th> </tr> </thead> <tbody> <tr> <td><code>Runnable</code></td> <td><code>java.lang</code></td> <td><code>void run()</code></td> <td>Threading, executors</td> </tr> <tr> <td><code>Callable&lt;V&gt;</code></td> <td><code>java.util.concurrent</code></td> <td><code>V call()</code></td> <td>Threading with return value</td> </tr> <tr> <td><code>Comparator&lt;T&gt;</code></td> <td><code>java.util</code></td> <td><code>int compare(T a, T b)</code></td> <td>Sorting</td> </tr> <tr> <td><code>ActionListener</code></td> <td><code>java.awt.event</code></td> <td><code>void actionPerformed(...)</code></td> <td>GUI events</td> </tr> </tbody> </table></div> <p> <br>  </p> <h3> Why These Matter </h3> <p> <br>  </p> <p>These features significantly enhanced Java's interface capabilities:<br> Backward compatibility: Millions of existing Map or List implementations (e.g., ArrayList, HashMap, or custom ones) automatically got these new methods without recompilation.<br> Cleaner code: Eliminated boilerplate (e.g., manual loops for filtering).<br> Functional style: Enabled fluent, declarative data processing.</p> <p> </p> <p> </p> <center id="september-2018---java-11"><b>📍</b></center> <center><b>September 2018 - Java 11</b></center> <center><b>Private methods - inherited from Java 9<b></b></b></center> <p> </p> <p>Java 11 is an LTS release but did not add any new interface features. <br> However, it includes all interface enhancements from Java 9, <br> which introduced private methods in interfaces (standardized and fully supported in Java 11).</p> <p>Private methods in interfaces allow developers to encapsulate common logic that can be reused by default methods within the same interface.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">DataProcessor</span> <span class="o">{</span> <span class="k">default</span> <span class="kt">void</span> <span class="nf">process</span><span class="o">(</span><span class="nc">String</span> <span class="n">data</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">cleaned</span> <span class="o">=</span> <span class="n">sanitize</span><span class="o">(</span><span class="n">data</span><span class="o">);</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"Processed: "</span> <span class="o">+</span> <span class="n">cleaned</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">sanitize</span><span class="o">(</span><span class="nc">String</span> <span class="n">input</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">input</span><span class="o">.</span><span class="na">trim</span><span class="o">().</span><span class="na">toLowerCase</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@SuppressWarnings</span><span class="o">(</span><span class="s">"checkstyle:WhitespaceAround"</span><span class="o">)</span> <span class="kd">static</span> <span class="nc">DataProcessor</span> <span class="nf">create</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">DataProcessor</span><span class="o">()</span> <span class="o">{</span> <span class="o">};</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TestInterfacePrivateMethod</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">DataProcessor</span> <span class="n">processor</span> <span class="o">=</span> <span class="nc">DataProcessor</span><span class="o">.</span><span class="na">create</span><span class="o">();</span> <span class="c1">// Output: Processed: hello world</span> <span class="n">processor</span><span class="o">.</span><span class="na">process</span><span class="o">(</span><span class="s">" HELLO WORLD "</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> </p> <p> </p> <center id="september-2021---java-17"><b>📍</b></center> <center><b>September 2021 - Java 17</b></center> <center><b>Sealed interfaces<b></b></b></center> <p> </p> <p>Java 17 introduces sealed interfaces (along with sealed classes), <br> allowing you to restrict which classes or interfaces can implement your interface. <br> This enhances domain modeling and works seamlessly with pattern matching.</p> <p><strong>New interface feature:</strong> Sealed interfaces with permits clause</p> <p> <br>  </p> <p>Rules:</p> <ul> <li>Subtypes must be listed in permits (or in the same file).</li> <li>Each permitted subtype must have a class modifier: final, sealed, or non-sealed.</li> </ul> <p> </p> <p><strong>sealed:</strong> restricts who can extend/implement you.<br> <strong>final:</strong> cannot be extended.<br> <strong>non-sealed:</strong> can be extended, even though your parent is sealed.</p> <p><span></span></p> <p><em>Note: non-sealed is only allowed on classes (or interfaces) that directly extend <br> or implement a sealed type and are listed in its permits clause.</em></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="c1">// Sealed interface. Can only be implemented by Circle, Rectangle, and Polygon.</span> <span class="kd">public</span> <span class="n">sealed</span> <span class="kd">interface</span> <span class="nc">Shape</span> <span class="n">permits</span> <span class="nc">Circle</span><span class="o">,</span> <span class="nc">Rectangle</span><span class="o">,</span> <span class="nc">Polygon</span> <span class="o">{}</span> <span class="c1">// Final class. Cannot be extended further.</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Circle</span> <span class="kd">implements</span> <span class="nc">Shape</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">double</span> <span class="n">radius</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Circle</span><span class="o">(</span><span class="kt">double</span> <span class="n">radius</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">radius</span> <span class="o">=</span> <span class="n">radius</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Sealed subclass (continues restriction)</span> <span class="n">sealed</span> <span class="kd">class</span> <span class="nc">Polygon</span> <span class="kd">implements</span> <span class="nc">Shape</span> <span class="n">permits</span> <span class="nc">Quadrilateral</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">sides</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Polygon</span><span class="o">(</span><span class="kt">int</span> <span class="n">sides</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">sides</span> <span class="o">=</span> <span class="n">sides</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Can be extended further</span> <span class="n">non</span><span class="o">-</span><span class="n">sealed</span> <span class="kd">class</span> <span class="nc">Rectangle</span> <span class="kd">implements</span> <span class="nc">Shape</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">double</span> <span class="n">width</span><span class="o">,</span> <span class="n">height</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Rectangle</span><span class="o">(</span><span class="kt">double</span> <span class="n">w</span><span class="o">,</span> <span class="kt">double</span> <span class="n">h</span><span class="o">)</span> <span class="o">{</span> <span class="n">width</span> <span class="o">=</span> <span class="n">w</span><span class="o">;</span> <span class="n">height</span> <span class="o">=</span> <span class="n">h</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> </p> <p> </p> <center id="september-2023---java-21"><b>📍</b></center> <center><b>September 2023 - Java 21</b></center> <center><b>Better Integration<b></b></b></center> <p> </p> <p>Java 21 does not add new interface-specific features, <br> but it enhances how interfaces are used through: <strong>Pattern matching for switch</strong><br> Simplifies type checks and casts when working with interface implementations.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">sealed</span> <span class="kd">interface</span> <span class="nc">Expr</span> <span class="n">permits</span> <span class="nc">Constant</span><span class="o">,</span> <span class="nc">Add</span> <span class="o">{}</span> <span class="n">record</span> <span class="nf">Constant</span><span class="o">(</span><span class="kt">int</span> <span class="n">value</span><span class="o">)</span> <span class="kd">implements</span> <span class="nc">Expr</span> <span class="o">{}</span> <span class="n">record</span> <span class="nf">Add</span><span class="o">(</span><span class="nc">Expr</span> <span class="n">left</span><span class="o">,</span> <span class="nc">Expr</span> <span class="n">right</span><span class="o">)</span> <span class="kd">implements</span> <span class="nc">Expr</span> <span class="o">{}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">int</span> <span class="nf">eval</span><span class="o">(</span><span class="nc">Expr</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">switch</span> <span class="o">(</span><span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">case</span> <span class="nc">Constant</span> <span class="n">c</span> <span class="o">-&gt;</span> <span class="n">c</span><span class="o">.</span><span class="na">value</span><span class="o">;</span> <span class="k">case</span> <span class="nc">Add</span> <span class="n">a</span> <span class="o">-&gt;</span> <span class="n">eval</span><span class="o">(</span><span class="n">a</span><span class="o">.</span><span class="na">left</span><span class="o">)</span> <span class="o">+</span> <span class="n">eval</span><span class="o">(</span><span class="n">a</span><span class="o">.</span><span class="na">right</span><span class="o">);</span> <span class="o">};</span> <span class="o">}</span> <span class="c1">// Usage:</span> <span class="nc">Expr</span> <span class="n">expr</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Add</span><span class="o">(</span><span class="k">new</span> <span class="nc">Constant</span><span class="o">(</span><span class="mi">3</span><span class="o">),</span> <span class="k">new</span> <span class="nc">Constant</span><span class="o">(</span><span class="mi">5</span><span class="o">));</span> <span class="c1">// Output: 8</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">eval</span><span class="o">(</span><span class="n">expr</span><span class="o">));</span> </code></pre> </div> <p> <br>  </p> <p><a id="best-practices"></a></p> <h2> Best practices </h2> <ul> <li><p><strong>Use default methods sparingly:</strong> Default methods should be used to add new functionality or provide optional implementations, not to fundamentally change the interface's contract.</p></li> <li><p><strong>Consider the impact on implementing classes:</strong> When adding default methods, carefully consider how they will affect existing implementations.</p></li> <li><p><strong>Use static methods for utility functions:</strong> Static methods should be used for utility functions that are closely related to the interface.</p></li> <li><p><strong>Document default and static methods clearly:</strong> Provide clear and concise documentation for all default and static methods, explaining their purpose and usage.</p></li> <li><p><strong>Avoid state in interfaces:</strong> Interfaces should generally not maintain state. Default methods should primarily operate on the state of the implementing class.</p></li> </ul> <p> <br>  </p> <p><a id="conclusion"></a></p> <h2> Conclusion </h2> <p>SAST remains one of the cornerstones of a mature <strong>SSDLC</strong>. It provides early, actionable insights into code security, reduces risk, empowers developers, and fortifies applications before deployment.<br> Implemented with care, <strong>SAST</strong> becomes more than just a detection tool; it becomes a catalyst for a long-term secure engineering culture.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6wusuyczlxshwj3vhq5b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6wusuyczlxshwj3vhq5b.png" alt="Java interface evolution" width="788" height="569"></a></p> <p> <br>  </p> <p>Originally published on my personal blog: <a href="https://matevosian.tech/blog/post/Java-interface-evolution" rel="noopener noreferrer">https://matevosian.tech/blog/post/Java-interface-evolution</a></p> <p> <br>  </p> java interface Security isn’t just about code Vardan Matevosian Tue, 23 Dec 2025 10:48:46 +0000 https://dev.to/vardan_matevosian_tech/security-isnt-just-about-code-30ae https://dev.to/vardan_matevosian_tech/security-isnt-just-about-code-30ae <p>📜 I didn’t get into security because it was a trendy field. It started back when I was a junior developer. At some point, I realized that being a developer isn’t just about writing code, seeing it work, and feeling satisfied.</p> <p>Real people use the applications we build. That’s when I started asking myself questions:<br> 🕵️‍♂️ These users have access to the application, but what exactly can they access?<br> 🕵️‍♂️ What permissions do they have?<br> 🕵️‍♂️ What if someone without proper rights could use a feature and harm other users?<br> 🕵️‍♂️ And what if that incident damaged the company’s reputation?</p> <p>From that moment, I began to delve deeper into application and user security, and over time, I realized that security isn’t about adding extra layers later; it’s about responsibility for the people who trust our code.</p> <p>Today, I see security as part of software architecture itself. It’s something that should be considered from the first line of code, not after deployment.</p> <p>That realization made me want to understand what “secure code” really means, and that’s where my journey into application security truly began…</p> security software Automating code security in CI/CD: SonarCloud SAST guide (Part 3) Vardan Matevosian Wed, 17 Dec 2025 18:29:13 +0000 https://dev.to/vardan_matevosian_tech/automating-code-security-in-cicd-sonarcloud-sast-guide-part-3-37ln https://dev.to/vardan_matevosian_tech/automating-code-security-in-cicd-sonarcloud-sast-guide-part-3-37ln <p> </p> <p><em>Note: Click on the image to see a larger (original) version.</em></p> <p> </p> <h2> Introduction </h2> <p>In this part of our <strong>SAST</strong> series, we focus on practical steps to incorporate <strong>SAST</strong> using <strong>SonarQube</strong>.</p> <p>You will receive a comprehensive step-by-step guide on how to integrate <strong>SonarQube</strong> into your <strong>CI/CD workflow</strong> and automate the process.</p> <p>We will explore:</p> <ul> <li>Integrating SonarQube scanning into the <strong>CI/CD pipeline</strong> using <strong>GitHub Actions</strong> </li> <li>Failing the pipeline based on SonarQube's default <strong>Quality Gates</strong> for a free account</li> <li>Adding unit tests and the <strong>JaCoCo plugin</strong> for code coverage</li> </ul> <p>Tools:</p> <ul> <li>SonarQube Cloud</li> <li>GitHub Actions</li> <li>JaCoCo</li> <li>Spring Boot</li> <li>IntelliJ IDEA</li> <li>JUnit 5</li> </ul> <p>By following this comprehensive guide, you will be able to seamlessly integrate SAST into your SSDLC process and improve your software’s security posture.</p> <p> <br>  </p> <h2> Integrating SonarQube scanning into the CI/CD pipeline using GitHub Actions </h2> <p>If you haven't created a <strong>Spring Boot</strong> project yet, then you can do so in this section. Create a Spring Boot project using <strong>IntelliJ IDEA</strong> or the <strong>Spring Boot Initializr</strong> at <a href="https://start.spring.io/" rel="noopener noreferrer">https://start.spring.io/</a>. Click <strong>Next</strong> and generate the project without dependencies.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvskf6jx0uc1808urce3t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvskf6jx0uc1808urce3t.png" alt="Spring Boot Initializr in IntelliJ IDEA" width="800" height="687"></a></p> <p> <br>  </p> <p>Update the <strong>“gradle.build”</strong> file to look like this. We will use Spring Boot 3 and Java 17, and will exclude tests for now.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">plugins</span> <span class="o">{</span> <span class="n">id</span> <span class="s1">'java'</span> <span class="n">id</span> <span class="s2">"org.sonarqube"</span> <span class="n">version</span> <span class="s2">"7.0.0.6105"</span> <span class="n">id</span> <span class="s1">'org.springframework.boot'</span> <span class="n">version</span> <span class="s1">'3.0.0'</span> <span class="n">id</span> <span class="s1">'io.spring.dependency-management'</span> <span class="n">version</span> <span class="s1">'1.1.7'</span> <span class="o">}</span> <span class="n">group</span> <span class="o">=</span> <span class="s1">'com.practice'</span> <span class="n">version</span> <span class="o">=</span> <span class="s1">'0.0.1-SNAPSHOT'</span> <span class="n">description</span> <span class="o">=</span> <span class="s1">'sonarqube_actions_demo'</span> <span class="n">java</span> <span class="o">{</span> <span class="n">toolchain</span> <span class="o">{</span> <span class="n">languageVersion</span> <span class="o">=</span> <span class="n">JavaLanguageVersion</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="mi">17</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="n">configurations</span> <span class="o">{</span> <span class="n">compileOnly</span> <span class="o">{</span> <span class="n">extendsFrom</span> <span class="n">annotationProcessor</span> <span class="o">}</span> <span class="o">}</span> <span class="k">repositories</span> <span class="o">{</span> <span class="n">mavenCentral</span><span class="o">()</span> <span class="o">}</span> <span class="k">dependencies</span> <span class="o">{</span> <span class="c1">// Spring boot runtime</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-web'</span> <span class="c1">// Observability</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-classic:1.5.13'</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-core:1.5.19'</span> <span class="o">}</span> <span class="kt">def</span> <span class="n">localProps</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Properties</span><span class="o">()</span> <span class="kt">def</span> <span class="n">localFile</span> <span class="o">=</span> <span class="n">file</span><span class="o">(</span><span class="s2">"gradle-local.properties"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">exists</span><span class="o">())</span> <span class="o">{</span> <span class="n">localProps</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">newDataInputStream</span><span class="o">())</span> <span class="o">}</span> <span class="n">sonar</span> <span class="o">{</span> <span class="n">properties</span> <span class="o">{</span> <span class="n">property</span> <span class="s2">"sonar.projectKey"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectKey"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.organization"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_ORGANIZATION_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.organization"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.projectName"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_NAME"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectName"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.token"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_TOKEN"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.token"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.host.url"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_HOST_URL"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.host.url"</span><span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="n">tasks</span><span class="o">.</span><span class="na">named</span><span class="o">(</span><span class="s1">'test'</span><span class="o">)</span> <span class="o">{</span> <span class="n">useJUnitPlatform</span><span class="o">()</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p>Create the <strong>“gradle-local.properties”</strong> file to run SonarQube locally:</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="s">systemProp.sonar.qualitygate.wait=true</span> <span class="s">sonar.projectKey=sonarqube_actions_demo_key</span> <span class="s">sonar.organization=local-organization</span> <span class="s">sonar.projectName=sonarqube_actions_demo</span> <span class="s">sonar.token=sqp_b7dc8e023b58eb785b11c6c468cda2b79eb6090b</span> <span class="s">sonar.host.url=http://localhost:9000</span> <span class="s">sonar.coverage.JaCoCo.xmlReportPaths=build/reports/JaCoCo/test/JaCoCoTestReport.xml</span> </code></pre> </div> <p> <br>  </p> <p>Add the <strong>“gradle-local.properties”</strong> file, build, and <strong>.gradle</strong> folders to the <strong>“.gitignore”</strong> file.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Build ### /build /.gradle ### Custom file ### gradle-local.properties </code></pre> </div> <p> <br>  </p> <p>Create a <strong>build.yml</strong> file for the <strong>CI/CD workflow</strong> using <strong>GitHub Actions</strong> in the <strong>.github/workflows/</strong> folder at the root of your project.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">main'</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">branch-name-policy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">branch-name-policy</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check PR source branch name</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "${{ github.event_name }}" = "pull_request" ]; then</span> <span class="s">BRANCH="${{ github.head_ref }}"</span> <span class="s">else</span> <span class="s">BRANCH="${{ github.ref_name }}"</span> <span class="s">fi</span> <span class="s">echo "PR head ref: $BRANCH"</span> <span class="s">if [[ "$BRANCH" =~ ^(release/|hotfix/|feature/|bugfix/|test|main).* ]]; then</span> <span class="s">echo "Allowed branch pattern: $BRANCH"</span> <span class="s">exit 0</span> <span class="s">else</span> <span class="s">echo "::error ::Branch name '$BRANCH' is not allowed to merge into main. Allowed patterns: release/*, hotfix/*, feature/*, bugfix/*, test*"</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">eclipse-temurin:17-jdk</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew build -x test</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache SonarQube packages</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.sonar/cache</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> <span class="na">SONAR_HOST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_HOST_URL }}</span> <span class="na">SONAR_ORGANIZATION_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_ORGANIZATION_KEY }}</span> <span class="na">SONAR_PROJECT_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_KEY }}</span> <span class="na">SONAR_PROJECT_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_NAME }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew sonar --info</span> </code></pre> </div> <p> <br>  </p> <h3> Workflow name </h3> <p>This is the name that appears on the GitHub Actions UI.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube</span> </code></pre> </div> <p> <br>  </p> <h3> Workflow trigger </h3> <p>This workflow runs on: </p> <ul> <li>pushing changes to the main branch</li> <li>pull requests that target the main branch</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">main'</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> </code></pre> </div> <p> <br>  </p> <h3> Job Section </h3> <p>All jobs must be nested inside the job section.<br> The workflow contains three jobs:</p> <ul> <li>branch-name-policy – validates branch naming</li> <li>build – builds the application</li> <li>sast (SonarQube scan) – performs the SonarQube scan</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">jobs</span><span class="pi">:</span> </code></pre> </div> <p> <br>  </p> <h3> branch-name-policy </h3> <p>Job <strong>branch-name-policy</strong> is the branch name policy validation. This job runs first. This ensures developers follow consistent branch naming patterns.<br> Advantages:</p> <ul> <li>Keeps the repository clean</li> <li>Improves automation</li> <li>Prevents merging from incorrectly named branches</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">branch-name-policy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">branch-name-policy</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check PR source branch name</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "${{ github.event_name }}" = "pull_request" ]; then</span> <span class="s">BRANCH="${{ github.head_ref }}"</span> <span class="s">else</span> <span class="s">BRANCH="${{ github.ref_name }}"</span> <span class="s">fi</span> <span class="s">echo "PR head ref: $BRANCH"</span> <span class="s">if [[ "$BRANCH" =~ ^(release/|hotfix/|feature/|bugfix/|test|main).* ]]; then</span> <span class="s">echo "Allowed branch pattern: $BRANCH"</span> <span class="s">exit 0</span> <span class="s">else</span> <span class="s">echo "::error ::Branch name '$BRANCH' is not allowed to merge into main. Allowed patterns: release/*, hotfix/*, feature/*, bugfix/*, test*"</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <p> <br>  </p> <p>Steps inside the branch-name-policy job.</p> <p><strong>Step 1: Detect branch name.</strong> <br> GitHub uses different variables depending on the event. The script normalizes the variable so you always get the correct branch name.</p> <p> </p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event</th> <th>Branch variable</th> </tr> </thead> <tbody> <tr> <td>pull_request</td> <td>${{ github.head_ref }}</td> </tr> <tr> <td>push</td> <td>${{ github.ref_name }}</td> </tr> </tbody> </table></div> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="k">${</span><span class="p">{ github.event_name </span><span class="k">}</span><span class="s2">}"</span> <span class="o">=</span> <span class="s2">"pull_request"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">BRANCH</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="p">{ github.head_ref </span><span class="k">}</span><span class="s2">}"</span> <span class="k">else </span><span class="nv">BRANCH</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="p">{ github.ref_name </span><span class="k">}</span><span class="s2">}"</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"PR head ref: </span><span class="nv">$BRANCH</span><span class="s2">"</span> </code></pre> </div> <p> <br>  </p> <p><strong>Step 2: Validate Naming Convention</strong></p> <p>Allows only:</p> <ul> <li>release/*</li> <li>hotfix/*</li> <li>feature/*</li> <li>bugfix/*</li> <li>test*</li> <li>main Anything else <strong>fails</strong> with an <strong>error</strong>.</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$BRANCH</span><span class="s2">"</span> <span class="o">=</span>~ ^<span class="o">(</span>release/|hotfix/|feature/|bugfix/|test|main<span class="o">)</span>.<span class="k">*</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Allowed branch pattern: </span><span class="nv">$BRANCH</span><span class="s2">"</span> <span class="nb">exit </span>0 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"::error ::Branch name '</span><span class="nv">$BRANCH</span><span class="s2">' is not allowed to merge into main. Allowed patterns: release/*, hotfix/*, feature/*, bugfix/*, test*"</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p> <br>  </p> <h3> build </h3> <p>This job runs a <strong>build</strong> using Java 17 (Eclipse Temurin JDK).</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">eclipse-temurin:17-jdk</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew build -x test</span> </code></pre> </div> <p> <br>  </p> <p><strong>Build steps:</strong></p> <p><strong>Step 1: Check out the code</strong><br> Using <strong>fetch-depth: 0</strong> ensures the full commit history is available. SonarQube requires this.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> </code></pre> </div> <p> <br>  </p> <p><strong>Step 2: Build using Gradle.</strong></p> <p>This:</p> <ul> <li>Compiles code</li> <li>Packages artifacts</li> <li>Skips tests (-x test) to keep the build fast.</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew build -x test</span> </code></pre> </div> <p> <br>  </p> <h3> sast </h3> <p>Job <strong>sast</strong> is for running SonarQube scan.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">sast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache SonarQube packages</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.sonar/cache</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> <span class="na">SONAR_HOST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_HOST_URL }}</span> <span class="na">SONAR_ORGANIZATION_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_ORGANIZATION_KEY }}</span> <span class="na">SONAR_PROJECT_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_KEY }}</span> <span class="na">SONAR_PROJECT_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_NAME }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew sonar --info</span> </code></pre> </div> <p> <br>  </p> <p><strong>sast job steps:</strong></p> <p>This job runs <strong>after</strong> the build. If the build fails, the sast job will not run.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">sast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> </code></pre> </div> <p> <br>  </p> <p><strong>Step 1</strong>: Each job runs on a fresh machine.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> </code></pre> </div> <p> <br>  </p> <p><strong>Step 2</strong>: Cache the scan. Caching speeds up your scans by reusing analyzer packages.<br> GitHub Actions <strong>reuses</strong> previously downloaded analyzers from a cache stored in your workflow runner.</p> <p>Benefit::</p> <ul> <li>Faster Sonar scans</li> <li>Reduced network usage</li> <li>More stable pipeline</li> </ul> <p>SonarQube’s examples recommend caching for performance.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache SonarQube packages</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.sonar/cache</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> </code></pre> </div> <p> <br>  </p> <p><strong>Step 3</strong>: Runs the SonarQube scan on your code.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="s">env</span><span class="err">:</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> <span class="na">SONAR_HOST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_HOST_URL }}</span> <span class="na">SONAR_ORGANIZATION_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_ORGANIZATION_KEY }}</span> <span class="na">SONAR_PROJECT_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_KEY }}</span> <span class="na">SONAR_PROJECT_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_NAME }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew sonar --info</span> </code></pre> </div> <p> <br>  </p> <p>Authentication is done via GitHub secrets:</p> <ul> <li>SONAR_TOKEN for authentication</li> <li>SONAR_HOST_URL</li> <li>SONAR_ORGANIZATION_KEY</li> <li>SONAR_PROJECT_KEY</li> <li>SONAR_PROJECT_NAME These are injected as environment variables:</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">env</span><span class="pi">:</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> <span class="na">SONAR_HOST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_HOST_URL }}</span> <span class="na">SONAR_ORGANIZATION_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_ORGANIZATION_KEY }}</span> <span class="na">SONAR_PROJECT_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_KEY }}</span> <span class="na">SONAR_PROJECT_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_NAME }}</span> </code></pre> </div> <p> <br>  </p> <p>Create the <strong>“application.properties”</strong> file under the <strong>“sonarqube_actions_demo/src/main/resources”</strong> folder. Set the available port on your machine.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code> <span class="py">spring.application.name</span><span class="p">=</span><span class="s">sonarqube_actions_demo</span> <span class="py">server.port</span><span class="p">=</span><span class="s">8008</span> </code></pre> </div> <p> <br>  </p> <p>Create the <strong>“logback-spring.xml”</strong> logging configuration file under <strong>“sonarqube_actions_demo/src/main/resources”</strong> folder.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;appender</span> <span class="na">name=</span><span class="s">"Console"</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.ConsoleAppender"</span><span class="nt">&gt;</span> <span class="nt">&lt;encoder&gt;</span> <span class="nt">&lt;pattern&gt;</span>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n<span class="nt">&lt;/pattern&gt;</span> <span class="nt">&lt;/encoder&gt;</span> <span class="nt">&lt;/appender&gt;</span> <span class="nt">&lt;root</span> <span class="na">level=</span><span class="s">"INFO"</span><span class="nt">&gt;</span> <span class="nt">&lt;appender-ref</span> <span class="na">ref=</span><span class="s">"Console"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/root&gt;</span> <span class="nt">&lt;/configuration&gt;</span> </code></pre> </div> <p> <br>  </p> <p>Create a <strong>GitHub repository</strong> with the same name as the project.<br> Create a project in <strong>SonarQube Cloud</strong> at <a href="https://sonarcloud.io/projects/create" rel="noopener noreferrer">https://sonarcloud.io/projects/create</a></p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fht615egmdnzdx6z3pqq4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fht615egmdnzdx6z3pqq4.png" alt="SonarQube analyze new project" width="222" height="228"></a></p> <p> <br>  </p> <p>Select the project <strong>sonarqube_actions_demo</strong> and click <strong>“Set Up”</strong></p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsepd8oqbo30b11ssypsz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsepd8oqbo30b11ssypsz.png" alt="SonarQube analyze project setup" width="800" height="236"></a></p> <p> <br>  </p> <p>Select the new code definition as <strong>“Previous version”</strong> and click <strong>“Create project”</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Famajv2t1qo7nb9vd9rhp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Famajv2t1qo7nb9vd9rhp.png" alt="SonarQube setup new code for project" width="800" height="477"></a></p> <p> <br>  </p> <p>Create repository secrets using GitHub Actions. <br> You can generate the <strong>SONAR_TOKEN</strong> value at <a href="https://sonarcloud.io/account/security" rel="noopener noreferrer">https://sonarcloud.io/account/security</a></p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frk77b3mo2g5o9l7n7ur8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frk77b3mo2g5o9l7n7ur8.png" alt="SonarQube repository secrets" width="800" height="351"></a></p> <p> <br>  </p> <p>Click <strong>Github Actions</strong></p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhc194r7pbk10fjptds3h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhc194r7pbk10fjptds3h.png" alt="SonarQube analisis method GitHub Actions" width="800" height="252"></a></p> <p> <br>  </p> <p>SonarQube will generate the <strong>SONAR_TOKEN</strong> for you. Click the Gradle button to view the project key and organization values. Copy and save these values so you can add them to your GitHub Actions repository secrets.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh512rbaoskfoukdkayos.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh512rbaoskfoukdkayos.png" alt="SonarQube project properties" width="800" height="464"></a></p> <p> <br>  </p> <p>Create GitHub Actions at <a href="https://github.com/VardanMatevosyan/sonarqube_actions_demo/settings/secrets/actions" rel="noopener noreferrer">https://github.com/VardanMatevosyan/sonarqube_actions_demo/settings/secrets/actions</a></p> <p><strong>SONAR_HOST_URL</strong> = <a href="https://sonarcloud.io" rel="noopener noreferrer">https://sonarcloud.io</a><br> <strong>SONAR_ORGANIZATION_KEY</strong> = sonar.organization<br> <strong>SONAR_PROJECT_KEY</strong> = sonar.organization<br> <strong>SONAR_TOKEN</strong> = generated token from the previous step<br> <strong>SONAR_PROJECT_NAME</strong> = sonarqube_actions_demo</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zn3tnrajsovddmyl7hr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zn3tnrajsovddmyl7hr.png" alt="GitHub repository secrets" width="800" height="528"></a></p> <p> <br>  </p> <p>Remove the auto-generated test files by the Spring Boot initializer from <strong>src/test/java/com/practice/sonarqube_actions_demo</strong></p> <p>Update the Gradle Wrapper to the 8.8 version by running the following command:</p> <p> <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gradle wrapper <span class="nt">--gradle-version</span> 8.8 <span class="nt">--distribution-type</span> bin </code></pre> </div> <p> <br>  </p> <p>Build the project by running <strong>./gradlew clean build</strong>, and then run Sonar locally using one of the previously mentioned approaches.<br> If you're using <strong>SonarCloud</strong>, use the project key from the <strong>sonar.projectKey property</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fci58x6mh7sx6ve5g74yr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fci58x6mh7sx6ve5g74yr.png" alt="IntelliJ IDEA SonarQube plugin analize project window" width="510" height="378"></a></p> <p> <br>  </p> <p>We can see two issues, but both are acceptable in our case.<br> The first one is a false positive because of how we use the variable, we only read the data and compare it with the actual branch name. No execution is involved. This warning refers to a script in the <strong>branch-name-policy</strong> job located in the <strong>build.yml</strong> file.</p> <p>The second issue is our <strong>gradle-local.properties</strong> file, where we manually added the Sonar token. Since this file is included in <strong>.gitignore</strong>, we can safely accept this when our code is analyzed in SonarCloud.</p> <p>As you can see, we get the analysis results immediately without having to push code to <strong>GitHub</strong> every time, which also helps avoid creating unnecessary commits.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3w63blku7fvq7dj924tm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3w63blku7fvq7dj924tm.png" alt="IntelliJ IDEA SonarQube local foundings" width="737" height="396"></a></p> <p> <br>  </p> <p>Push the changes to GitHub.</p> <p>Git commands:<br> Replace <strong><a href="mailto:git@github.com">git@github.com</a>:USERNAME/REPOSITORY.git</strong> with your GitHub repository link.</p> <p> <br>  </p> <h3> Results </h3> <p>All jobs are successful on GitHub. </p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F593qvulo4d20vskuryx6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F593qvulo4d20vskuryx6.png" alt="GitHub Actions jobs pass" width="800" height="350"></a></p> <p> <br>  </p> <p>In <strong>SonarCloud</strong>, go to the Projects section and select the sonarqube_actions_demo project. There, you will see the scanned results, but without Quality Gate. Free-plan users have access only to the default <strong>Quality Gate</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffc5tjjmei6nsigy7f60t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffc5tjjmei6nsigy7f60t.png" alt="SonarQube main branch not computed" width="800" height="462"></a></p> <p> <br>  </p> <p>Let's protect our main branch on <strong>GitHub</strong> and then create a new <strong>Pull Request</strong> to see how it works.<br> Go to the <strong>Rulesets</strong> at <a href="https://github.com/VardanMatevosyan/sonarqube_actions_demo/settings/rules" rel="noopener noreferrer">https://github.com/VardanMatevosyan/sonarqube_actions_demo/settings/rules</a> and create the Rule for the main branch.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5hzqqfu1edoezeamoau.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5hzqqfu1edoezeamoau.png" alt="GitHub new rule creation" width="800" height="349"></a></p> <p> <br>  </p> <p>Here are the configurations</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmk3uxaddc09g295w5i30.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmk3uxaddc09g295w5i30.png" alt="GitHub rule configuration - 1" width="800" height="728"></a></p> <p> <br>  </p> <p>Rules.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi9vgins7l0lmuxmpky4d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi9vgins7l0lmuxmpky4d.png" alt="GitHub rule configuration - 2" width="800" height="420"></a></p> <p> <br>  </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dzzt3fx1tydewinac5a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dzzt3fx1tydewinac5a.png" alt="GitHub rule configuration - 3" width="800" height="479"></a></p> <p> <br>  </p> <p>Enable <strong>“Require status checks to pass”</strong> and add three jobs by name that were included in the jobs section in the <strong>build.yml</strong> file.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2m4nw4s24ytn2mutkvd5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2m4nw4s24ytn2mutkvd5.png" alt="GitHub rule configuration - 4" width="737" height="837"></a></p> <p> <br>  </p> <p>Click <strong>Create</strong>.</p> <p><strong>Pull Request workflow jobs check</strong></p> <p>Check out the new branch from the main and make a simple change, as shown in the screenshot below. Push the changes and create a PR with those changes.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe793969oqehmxafymbzk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe793969oqehmxafymbzk.png" alt="IntelliJ IDEA PR gradle dependencies change" width="800" height="260"></a></p> <p> <br>  </p> <p>All jobs have passed.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wnewmvd461iu6vcn16w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wnewmvd461iu6vcn16w.png" alt="GitHub all jobs pass on new PR" width="800" height="662"></a></p> <p> <br>  </p> <p>Merge the changes. Once the changes are merged, you’ll see the jobs running on the main branches.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr9ymcut1erwrxom0srhl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr9ymcut1erwrxom0srhl.png" alt="GitHub all job pass on merge to main branch" width="800" height="550"></a></p> <p> <br>  </p> <p>To view the GitHub Actions details, click one of the Details links related to a specific job. Then select the job you want to inspect, and choose any individual execution step to see its detailed information.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumcw1ghv1e3u5ktt828n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumcw1ghv1e3u5ktt828n.png" alt="GitHub Actions job details" width="800" height="374"></a></p> <p> <br>  </p> <p>Let’s check the scanning results on SonarQube. Go to your project at <a href="https://sonarcloud.io/project/overview?id=VardanMatevosyan_sonarqube_actions_demo" rel="noopener noreferrer">https://sonarcloud.io/project/overview?id=VardanMatevosyan_sonarqube_actions_demo</a>. </p> <p>The <strong>“id=VardanMatevosyan”</strong> part of the link will differ depending on your GitHub username. You can see the scanning results for each branch or pull request in the <strong>“Latest Activity”</strong> section, as well as the Main branch status and the Main Branch evolution chart for issues, code coverage, and duplications.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbaiavtk6xr5c8b4yhw2m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbaiavtk6xr5c8b4yhw2m.png" alt="SonarQube scanning result on main branch" width="800" height="531"></a></p> <p> <br>  </p> <p>When you click on a specific branch, you will see the scanning results only for the new code changes included in the particular Pull Request.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi6eeg4qwua1ghlsxwf1c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi6eeg4qwua1ghlsxwf1c.png" alt="SonarQube scanning result for specific job" width="800" height="379"></a></p> <p> <br>  </p> <p>Let’s accept or mark the issue as a false positive that is acceptable for our application. Go to the <strong>main</strong> branch and click on the <strong>Issues tab</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmmcimuew2s39ttye9plc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmmcimuew2s39ttye9plc.png" alt="SonarQube main branch issues tab" width="800" height="280"></a></p> <p> <br>  </p> <p>Click on the <strong>Open status</strong> and select, for example, <strong>False Positive</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frpxfjhv98rfll273b5d2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frpxfjhv98rfll273b5d2.png" alt="SonarQube issue set as false positive" width="800" height="351"></a></p> <p> <br>  </p> <p>Write the comment.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjopteubzdcvmck2vmd7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjopteubzdcvmck2vmd7.png" alt="SonarQube false positive comment" width="800" height="365"></a></p> <p> <br>  </p> <p>Return to the project at <a href="https://sonarcloud.io/projects" rel="noopener noreferrer">https://sonarcloud.io/projects</a>, and you will see that there are no remaining issues.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6yzb79j9o5tojtuznh8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6yzb79j9o5tojtuznh8.png" alt="SonarQube my projects" width="800" height="185"></a></p> <p> <br>  </p> <h3> Failing the pipeline based on SonarQube's default Quality Gates for a free account </h3> <p>Let's implement an endpoint at <strong>/users/{id}</strong> to retrieve user information by ID.</p> <p>Add dependencies to the <strong>“gradle.build”</strong> file in addition to the <strong>Spring Boot Web</strong> and <strong>logback</strong>. This is the complete list of dependencies:</p> <ul> <li> <strong>H2 Database</strong> is an in-memory database for testing purposes.</li> <li> <strong>Spring Boot JDBC</strong> is used in the persistence layer to interact with the database.</li> <li> <strong>Spring Boot</strong> Test is used for unit tests of a Spring application.</li> <li> <strong>JUnit 5</strong> to write unit tests.</li> <li> <strong>Lombok</strong> is to reduce boilerplate code.</li> <li> <strong>MapStruct</strong> is used for easily mapping entities to DTO objects.</li> </ul> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="k">dependencies</span> <span class="o">{</span> <span class="c1">// Spring boot runtime</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-web'</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-jdbc'</span> <span class="c1">// Persistence H2 for demo (optional)</span> <span class="n">runtimeOnly</span> <span class="s1">'com.h2database:h2'</span> <span class="c1">// Observability</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-classic:1.5.13'</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-core:1.5.19'</span> <span class="c1">// Test</span> <span class="n">testImplementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-test'</span> <span class="n">testImplementation</span> <span class="s1">'org.junit.jupiter:junit-jupiter:5.10.2'</span> <span class="n">testImplementation</span> <span class="s1">'com.h2database:h2'</span> <span class="c1">// Annotation processing</span> <span class="n">compileOnly</span> <span class="s1">'org.projectlombok:lombok:1.18.26'</span> <span class="n">annotationProcessor</span> <span class="s1">'org.projectlombok:lombok:1.18.26'</span> <span class="n">implementation</span> <span class="s1">'org.mapstruct:mapstruct:1.5.5.Final'</span> <span class="n">annotationProcessor</span> <span class="s1">'org.mapstruct:mapstruct-processor:1.5.5.Final'</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Sourcecode structure </h3> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkhc7z2wa6n7o7s23db2c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkhc7z2wa6n7o7s23db2c.png" alt="IntelliJ IDEA main project structure" width="491" height="402"></a></p> <p> <br>  </p> <h3> Controller </h3> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@RestController</span> <span class="nd">@RequiredArgsConstructor</span> <span class="nd">@FieldDefaults</span><span class="o">(</span><span class="n">level</span> <span class="o">=</span> <span class="nc">AccessLevel</span><span class="o">.</span><span class="na">PRIVATE</span><span class="o">,</span> <span class="n">makeFinal</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span> <span class="nc">UserServiceImpl</span> <span class="n">userService</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/users/{id}"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">UserDto</span><span class="o">&gt;</span> <span class="nf">getUser</span><span class="o">(</span><span class="nd">@PathVariable</span> <span class="nc">Integer</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="nc">UserDto</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">id</span><span class="o">);</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Exception </h3> <p><strong>DaoExcetion</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DaoException</span> <span class="kd">extends</span> <span class="nc">RuntimeException</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">DaoException</span><span class="o">(</span><span class="nc">String</span> <span class="n">message</span><span class="o">,</span> <span class="nc">Throwable</span> <span class="n">cause</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">message</span><span class="o">,</span> <span class="n">cause</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>GlobalExceptionHandler</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@RestControllerAdvice</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">GlobalExceptionHandler</span> <span class="o">{</span> <span class="nd">@ExceptionHandler</span><span class="o">(</span><span class="nc">NoSuchElementException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">ErrorResponse</span><span class="o">&gt;</span> <span class="nf">handleException</span><span class="o">(</span><span class="nc">NoSuchElementException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="nc">HttpStatusCode</span> <span class="n">httpStatusCode</span> <span class="o">=</span> <span class="nc">HttpStatusCode</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NOT_FOUND</span><span class="o">.</span><span class="na">value</span><span class="o">());</span> <span class="nc">ErrorResponse</span> <span class="n">errorResponse</span> <span class="o">=</span> <span class="nc">ErrorResponse</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">exception</span><span class="o">,</span> <span class="n">httpStatusCode</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="n">httpStatusCode</span><span class="o">).</span><span class="na">body</span><span class="o">(</span><span class="n">errorResponse</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@ExceptionHandler</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="o">{</span><span class="nc">Exception</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="nc">DaoException</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">ErrorResponse</span><span class="o">&gt;</span> <span class="nf">handleException</span><span class="o">(</span><span class="nc">DaoException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="nc">HttpStatusCode</span> <span class="n">httpStatusCode</span> <span class="o">=</span> <span class="nc">HttpStatusCode</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">INTERNAL_SERVER_ERROR</span><span class="o">.</span><span class="na">value</span><span class="o">());</span> <span class="nc">ErrorResponse</span> <span class="n">errorResponse</span> <span class="o">=</span> <span class="nc">ErrorResponse</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">exception</span><span class="o">,</span> <span class="n">httpStatusCode</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="n">httpStatusCode</span><span class="o">).</span><span class="na">body</span><span class="o">(</span><span class="n">errorResponse</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@ExceptionHandler</span><span class="o">(</span><span class="nc">RuntimeException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">ErrorResponse</span><span class="o">&gt;</span> <span class="nf">handleException</span><span class="o">(</span><span class="nc">RuntimeException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="nc">HttpStatusCode</span> <span class="n">httpStatusCode</span> <span class="o">=</span> <span class="nc">HttpStatusCode</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">BAD_REQUEST</span><span class="o">.</span><span class="na">value</span><span class="o">());</span> <span class="nc">ErrorResponse</span> <span class="n">errorResponse</span> <span class="o">=</span> <span class="nc">ErrorResponse</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">exception</span><span class="o">,</span> <span class="n">httpStatusCode</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="n">httpStatusCode</span><span class="o">).</span><span class="na">body</span><span class="o">(</span><span class="n">errorResponse</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Mapper </h3> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Mapper</span><span class="o">(</span><span class="n">componentModel</span> <span class="o">=</span> <span class="s">"spring"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UserMapper</span> <span class="o">{</span> <span class="nc">UserDto</span> <span class="nf">toDto</span><span class="o">(</span><span class="nc">User</span> <span class="n">user</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Model </h3> <ul> <li>DTO</li> </ul> <p><strong>UserDto</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Getter</span> <span class="nd">@Setter</span> <span class="nd">@NoArgsConstructor</span> <span class="nd">@AllArgsConstructor</span> <span class="nd">@FieldDefaults</span><span class="o">(</span><span class="n">level</span> <span class="o">=</span> <span class="nc">AccessLevel</span><span class="o">.</span><span class="na">PRIVATE</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDto</span> <span class="o">{</span> <span class="nc">Integer</span> <span class="n">id</span><span class="o">;</span> <span class="nc">String</span> <span class="n">username</span><span class="o">;</span> <span class="nc">String</span> <span class="n">email</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <ul> <li>Entities</li> </ul> <p><strong>User</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Getter</span> <span class="nd">@Setter</span> <span class="nd">@AllArgsConstructor</span> <span class="nd">@NoArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">User</span> <span class="o">{</span> <span class="nc">Integer</span> <span class="n">id</span><span class="o">;</span> <span class="nc">String</span> <span class="n">username</span><span class="o">;</span> <span class="nc">String</span> <span class="n">email</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Persistence </h3> <p><strong>UserDao</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UserDao</span> <span class="o">{</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUserById</span><span class="o">(</span><span class="nc">Integer</span> <span class="n">id</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>UserDaoImpl</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Repository</span> <span class="nd">@RequiredArgsConstructor</span> <span class="nd">@FieldDefaults</span><span class="o">(</span><span class="n">level</span> <span class="o">=</span> <span class="nc">AccessLevel</span><span class="o">.</span><span class="na">PRIVATE</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDaoImpl</span> <span class="kd">implements</span> <span class="nc">UserDao</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">DataSource</span> <span class="n">dataSource</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUserById</span><span class="o">(</span><span class="nc">Integer</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">query</span> <span class="o">=</span> <span class="s">"SELECT id, username, email FROM users WHERE id = "</span> <span class="o">+</span> <span class="n">id</span><span class="o">;</span> <span class="k">try</span> <span class="o">(</span> <span class="nc">Connection</span> <span class="n">connection</span> <span class="o">=</span> <span class="n">dataSource</span><span class="o">.</span><span class="na">getConnection</span><span class="o">();</span> <span class="nc">Statement</span> <span class="n">ps</span> <span class="o">=</span> <span class="n">connection</span><span class="o">.</span><span class="na">prepareStatement</span><span class="o">(</span><span class="n">query</span><span class="o">))</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">rs</span> <span class="o">=</span> <span class="n">ps</span><span class="o">.</span><span class="na">executeQuery</span><span class="o">(</span><span class="n">query</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">rs</span><span class="o">.</span><span class="na">next</span><span class="o">())</span> <span class="o">{</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">buildUserEntity</span><span class="o">(</span><span class="n">rs</span><span class="o">);</span> <span class="k">return</span> <span class="nc">Optional</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="nc">Optional</span><span class="o">.</span><span class="na">empty</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NullPointerException</span> <span class="o">|</span> <span class="nc">SQLException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">DaoException</span><span class="o">(</span><span class="s">"SQL error"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">User</span> <span class="nf">buildUserEntity</span><span class="o">(</span><span class="nc">ResultSet</span> <span class="n">rs</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SQLException</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="o">(</span> <span class="n">rs</span><span class="o">.</span><span class="na">getInt</span><span class="o">(</span><span class="s">"id"</span><span class="o">),</span> <span class="n">rs</span><span class="o">.</span><span class="na">getString</span><span class="o">(</span><span class="s">"username"</span><span class="o">),</span> <span class="n">rs</span><span class="o">.</span><span class="na">getString</span><span class="o">(</span><span class="s">"email"</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Service </h3> <p><strong>UserService</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UserService</span> <span class="o">{</span> <span class="nc">UserDto</span> <span class="nf">getUserById</span><span class="o">(</span><span class="nc">Integer</span> <span class="n">id</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>UserServiceImpl</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Service</span> <span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserServiceImpl</span> <span class="kd">implements</span> <span class="nc">UserService</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">UserDao</span> <span class="n">userDao</span><span class="o">;</span> <span class="kd">final</span> <span class="nc">UserMapper</span> <span class="n">userMapper</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">UserDto</span> <span class="nf">getUserById</span><span class="o">(</span><span class="nc">Integer</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="n">requireNonNull</span><span class="o">(</span><span class="n">id</span><span class="o">,</span> <span class="s">"id must not be null"</span><span class="o">);</span> <span class="k">return</span> <span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">id</span><span class="o">)</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">userMapper:</span><span class="o">:</span><span class="n">toDto</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">NoSuchElementException</span><span class="o">(</span><span class="s">"User not found with id: "</span> <span class="o">+</span> <span class="n">id</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <h3> Database schema and data </h3> <p>Add <strong>“schema.sql”</strong> to create the users table and insert some testing data.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">username</span> <span class="n">VARCHAR2</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">email</span> <span class="n">VARCHAR2</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="p">);</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">email</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">'Alice'</span><span class="p">,</span> <span class="s1">'alice@example.com'</span><span class="p">),</span> <span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'bob@example.com'</span><span class="p">),</span> <span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="s1">'Admin'</span><span class="p">,</span> <span class="s1">'admin@example.com'</span><span class="p">);</span> </code></pre> </div> <p> <br>  </p> <h3> Application properties </h3> <p>Add these properties to the existing ones in the <strong>“application.properties”</strong> file.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code> <span class="c"># Database configuration </span><span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:h2:mem:testdb;DB_CLOSE_DELAY=-1</span> <span class="py">spring.datasource.driver-class-name</span><span class="p">=</span><span class="s">org.h2.Driver</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">sa</span> <span class="py">spring.datasource.password</span><span class="p">=</span><span class="s">password</span> <span class="c"># Enable H2 web console via http://localhost:8008/h2-console </span><span class="py">spring.h2.console.enabled</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <p> <br>  </p> <p>Add a <strong>“gradle.properties”</strong> file to the root of the project. This property is required so <strong>GitHub</strong> waits for <strong>SonarCloud</strong> to return the scanning results. If you omit this, all scanning results will appear as passed.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code> <span class="py">systemProp.sonar.qualitygate.wait</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <p> <br>  </p> <p>Let’s run the application. As you can see, it returns the correct user data by the ID.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx99v5tz8rtaocpcnb42o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx99v5tz8rtaocpcnb42o.png" alt="IntelliJ IDEA application endpoint test" width="648" height="877"></a></p> <p> <br>  </p> <p>Now let’s run <strong>SonarQube</strong> locally from <strong>IntelliJ IDEA</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8wlbmcf5kdqi5wa23y2e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8wlbmcf5kdqi5wa23y2e.png" alt="IntelliJ IDEA SonarQube local project analyze window" width="800" height="430"></a></p> <p> <br>  </p> <p>After scanning, <strong>SonarQube</strong> immediately shows one detected <strong>SQL Injection</strong> vulnerability. You can even see the suggested fix.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3ssx6y2mzfkger9kka.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3ssx6y2mzfkger9kka.png" alt="IntelliJ IDEA SonarQube found vulnerabilities" width="800" height="419"></a></p> <p> <br>  </p> <p>Let’s imagine that we forgot to run a <strong>SonarQube</strong> scan.<br> Pull the latest changes from the <strong>main</strong> branch and create a new branch that starts with <strong>feature/</strong>. Commit and push your changes. Then go to <strong>GitHub</strong> and create a <strong>Pull Request</strong>.<br> You can see that the <strong>Sonar job</strong> has <strong>failed</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl18x6116ld71aw26c812.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl18x6116ld71aw26c812.png" alt="GitHub failed pipeline on pushing to PR" width="800" height="734"></a></p> <p> <br>  </p> <p>For more details, you can click on the <strong>SonarQube Scan</strong> job.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk30tktfyuvql7bpk44e3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk30tktfyuvql7bpk44e3.png" alt="GitHub Actions failed scan job detail" width="800" height="726"></a></p> <p> <br>  </p> <p>Let’s check the SonarQube project dashboard at <a href="https://sonarcloud.io/project/overview?id=VardanMatevosyan_sonarqube_actions_demo" rel="noopener noreferrer">https://sonarcloud.io/project/overview?id=VardanMatevosyan_sonarqube_actions_demo</a></p> <p>Then choose your branch</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ef2t2s9s33iw4khtxhp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ef2t2s9s33iw4khtxhp.png" alt="SonarQube failed branch" width="800" height="683"></a></p> <p> <br>  </p> <p>As you can see, it failed. Click to view the details. You will see that two conditions have <strong>failed</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3sfurz5ukh08ohllgj1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3sfurz5ukh08ohllgj1.png" alt="SonarQube detail PR summery failed conditions" width="748" height="561"></a></p> <p> <br>  </p> <p>Click on <strong>“Security Hotspot Reviewed”</strong>. As you can see, it shows the same result we saw locally. </p> <p>The <strong>SQL injection</strong> vulnerability.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3gzjoe9u9t76eb7i4pdj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3gzjoe9u9t76eb7i4pdj.png" alt="SonarQube SQL vulnerabilites detail" width="800" height="372"></a></p> <p> <br>  </p> <p>Fix the SQL Injection vulnerability by using the <strong>PreparedStatement</strong> class and setter methods to set the values.</p> <p> </p> <p><strong>UserDaoImpl class</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Repository</span> <span class="nd">@RequiredArgsConstructor</span> <span class="nd">@FieldDefaults</span><span class="o">(</span><span class="n">level</span> <span class="o">=</span> <span class="nc">AccessLevel</span><span class="o">.</span><span class="na">PRIVATE</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDaoImpl</span> <span class="kd">implements</span> <span class="nc">UserDao</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">DataSource</span> <span class="n">dataSource</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUserById</span><span class="o">(</span><span class="nc">Integer</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">query</span> <span class="o">=</span> <span class="s">"SELECT id, username, email FROM users WHERE id = ?"</span><span class="o">;</span> <span class="k">try</span> <span class="o">(</span> <span class="nc">Connection</span> <span class="n">connection</span> <span class="o">=</span> <span class="n">dataSource</span><span class="o">.</span><span class="na">getConnection</span><span class="o">();</span> <span class="nc">PreparedStatement</span> <span class="n">ps</span> <span class="o">=</span> <span class="n">connection</span><span class="o">.</span><span class="na">prepareStatement</span><span class="o">(</span><span class="n">query</span><span class="o">))</span> <span class="o">{</span> <span class="n">ps</span><span class="o">.</span><span class="na">setInt</span><span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="kt">var</span> <span class="n">rs</span> <span class="o">=</span> <span class="n">ps</span><span class="o">.</span><span class="na">executeQuery</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">rs</span><span class="o">.</span><span class="na">next</span><span class="o">())</span> <span class="o">{</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">buildUserEntity</span><span class="o">(</span><span class="n">rs</span><span class="o">);</span> <span class="k">return</span> <span class="nc">Optional</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="nc">Optional</span><span class="o">.</span><span class="na">empty</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NullPointerException</span> <span class="o">|</span> <span class="nc">SQLException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">DaoException</span><span class="o">(</span><span class="s">"SQL error"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">User</span> <span class="nf">buildUserEntity</span><span class="o">(</span><span class="nc">ResultSet</span> <span class="n">rs</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SQLException</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="o">(</span> <span class="n">rs</span><span class="o">.</span><span class="na">getInt</span><span class="o">(</span><span class="s">"id"</span><span class="o">),</span> <span class="n">rs</span><span class="o">.</span><span class="na">getString</span><span class="o">(</span><span class="s">"username"</span><span class="o">),</span> <span class="n">rs</span><span class="o">.</span><span class="na">getString</span><span class="o">(</span><span class="s">"email"</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p>Run Sonar locally, and you will not find any issues. Then push changes to a remote branch. The Sonar job still <strong>fails</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoxdtfbss6m1kj0hrdrl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoxdtfbss6m1kj0hrdrl.png" alt="GitHub scan job failed after SQL injection fix" width="800" height="736"></a></p> <p> <br>  </p> <p>Look in the <strong>SonarQube dashboard</strong>, you'll see that the <strong>SQL Injection</strong> vulnerability is gone, but now the job is failing because tests and code coverage are missing. We'll explore this in the next section: “<strong>Adding unit tests and the JaCoCo plugin for code coverage.</strong>”</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tzsqo7j4aljljffdkg9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tzsqo7j4aljljffdkg9.png" alt="SonarQube PR detail condition one condition left" width="800" height="482"></a></p> <p> <br>  </p> <p>Even though we went through all of the steps from writing code up to creating a <strong>Pull Request</strong>, having the <strong>SonarQube plugin</strong> configured in your <strong>IDE</strong> is helpful in immediately detecting issues without running the application locally or pushing changes to your remote branch.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3qmxr2hke4328r0mkh2o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3qmxr2hke4328r0mkh2o.png" alt="Intellij IDEA SonarQube plugin SQL vulnerabily detection on source code" width="800" height="466"></a></p> <p> <br>  </p> <h2> Adding unit tests and the JaCoCo plugin for code coverage </h2> <p>Add these changes to the <strong>“gradle.build”</strong> file:</p> <p><strong>JaCoCo plugin</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">id</span> <span class="s1">'JaCoCo'</span> </code></pre> </div> <p> <br>  </p> <p><strong>JaCoCo</strong> properties for <strong>SonarQube</strong>. <br> The <strong>config</strong>, <strong>mapper</strong>, <strong>model</strong>, and <strong>exception</strong> packages should be excluded from code coverage processing in <strong>SonarQube</strong>.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">property</span> <span class="s2">"sonar.coverage.JaCoCoxml.import"</span><span class="o">,</span> <span class="s2">"true"</span> <span class="n">property</span> <span class="s2">"sonar.java.coveragePlugin"</span><span class="o">,</span> <span class="s2">"JaCoCo"</span> <span class="n">property</span> <span class="s2">"sonar.coverage.JaCoCo.xmlReportPaths"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_COVERAGE_JaCoCo_XML_REPORT_PATH"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.coverage.JaCoCo.xmlReportPaths"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.coverage.exclusions"</span><span class="o">,</span> <span class="s2">"**/config/**,**/mapper/**,**/model/**,**/exception/**"</span> </code></pre> </div> <p> <br>  </p> <p><strong>JaCoCo</strong> configuration</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">JaCoCo</span> <span class="o">{</span> <span class="n">toolVersion</span> <span class="o">=</span> <span class="s2">"0.8.12"</span> <span class="o">}</span> <span class="n">JaCoCoTestReport</span> <span class="o">{</span> <span class="n">dependsOn</span> <span class="n">test</span> <span class="n">reports</span> <span class="o">{</span> <span class="n">xml</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">html</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">csv</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">false</span> <span class="o">}</span> <span class="n">afterEvaluate</span> <span class="o">{</span> <span class="n">classDirectories</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">files</span><span class="o">(</span><span class="n">classDirectories</span><span class="o">.</span><span class="na">files</span><span class="o">.</span><span class="na">collect</span> <span class="o">{</span> <span class="n">fileTree</span><span class="o">(</span><span class="nl">dir:</span> <span class="n">it</span><span class="o">,</span> <span class="nl">exclude:</span> <span class="o">[</span><span class="s1">'**/config/**'</span><span class="o">,</span> <span class="s1">'**/model/**'</span><span class="o">,</span> <span class="s1">'**/exception/**'</span><span class="o">,</span> <span class="s1">'**/mapper/**'</span><span class="o">])</span> <span class="o">}))</span> <span class="o">}</span> <span class="o">}</span> <span class="n">JaCoCoTestCoverageVerification</span> <span class="o">{</span> <span class="n">dependsOn</span> <span class="n">JaCoCoTestReport</span> <span class="n">violationRules</span> <span class="o">{</span> <span class="n">rule</span> <span class="o">{</span> <span class="n">enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">element</span> <span class="o">=</span> <span class="s1">'BUNDLE'</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'LINE'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'BRANCH'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.65</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'METHOD'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'CLASS'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">afterEvaluate</span> <span class="o">{</span> <span class="n">classDirectories</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">files</span><span class="o">(</span><span class="n">classDirectories</span><span class="o">.</span><span class="na">files</span><span class="o">.</span><span class="na">collect</span> <span class="o">{</span> <span class="n">fileTree</span><span class="o">(</span><span class="nl">dir:</span> <span class="n">it</span><span class="o">,</span> <span class="nl">exclude:</span> <span class="o">[</span><span class="s1">'**/config/**'</span><span class="o">,</span> <span class="s1">'**/model/**'</span><span class="o">,</span> <span class="s1">'**/exception/**'</span><span class="o">,</span> <span class="s1">'**/mapper/**'</span><span class="o">])</span> <span class="o">}))</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p>Update the task <strong>test</strong> by adding this line at the end<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">finalizedBy</span> <span class="n">JaCoCoTestReport</span> </code></pre> </div> <p> <br>  </p> <p>The complete <strong>“gradle.build”</strong> file</p> <p> <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">plugins</span> <span class="o">{</span> <span class="n">id</span> <span class="s1">'java'</span> <span class="n">id</span> <span class="s1">'JaCoCo'</span> <span class="n">id</span> <span class="s2">"org.sonarqube"</span> <span class="n">version</span> <span class="s2">"7.0.0.6105"</span> <span class="n">id</span> <span class="s1">'org.springframework.boot'</span> <span class="n">version</span> <span class="s1">'3.0.0'</span> <span class="n">id</span> <span class="s1">'io.spring.dependency-management'</span> <span class="n">version</span> <span class="s1">'1.1.7'</span> <span class="o">}</span> <span class="n">group</span> <span class="o">=</span> <span class="s1">'com.practice'</span> <span class="n">version</span> <span class="o">=</span> <span class="s1">'0.0.1-SNAPSHOT'</span> <span class="n">description</span> <span class="o">=</span> <span class="s1">'sonarqube_actions_demo'</span> <span class="n">java</span> <span class="o">{</span> <span class="n">toolchain</span> <span class="o">{</span> <span class="n">languageVersion</span> <span class="o">=</span> <span class="n">JavaLanguageVersion</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="mi">17</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="n">configurations</span> <span class="o">{</span> <span class="n">compileOnly</span> <span class="o">{</span> <span class="n">extendsFrom</span> <span class="n">annotationProcessor</span> <span class="o">}</span> <span class="o">}</span> <span class="k">repositories</span> <span class="o">{</span> <span class="n">mavenCentral</span><span class="o">()</span> <span class="o">}</span> <span class="k">dependencies</span> <span class="o">{</span> <span class="c1">// Spring boot runtime</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-web'</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-jdbc'</span> <span class="c1">// Persistence H2 for demo (optional)</span> <span class="n">runtimeOnly</span> <span class="s1">'com.h2database:h2'</span> <span class="c1">// Observability</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-classic:1.5.13'</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback:logback-core:1.5.19'</span> <span class="c1">// Test</span> <span class="n">testImplementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-test'</span> <span class="n">testImplementation</span> <span class="s1">'org.junit.jupiter:junit-jupiter:5.10.2'</span> <span class="n">testImplementation</span> <span class="s1">'com.h2database:h2'</span> <span class="c1">// Annotation processing</span> <span class="n">compileOnly</span> <span class="s1">'org.projectlombok:lombok:1.18.26'</span> <span class="n">annotationProcessor</span> <span class="s1">'org.projectlombok:lombok:1.18.26'</span> <span class="n">implementation</span> <span class="s1">'org.mapstruct:mapstruct:1.5.5.Final'</span> <span class="n">annotationProcessor</span> <span class="s1">'org.mapstruct:mapstruct-processor:1.5.5.Final'</span> <span class="o">}</span> <span class="kt">def</span> <span class="n">localProps</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Properties</span><span class="o">()</span> <span class="kt">def</span> <span class="n">localFile</span> <span class="o">=</span> <span class="n">file</span><span class="o">(</span><span class="s2">"gradle-local.properties"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">exists</span><span class="o">())</span> <span class="o">{</span> <span class="n">localProps</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">newDataInputStream</span><span class="o">())</span> <span class="o">}</span> <span class="n">sonar</span> <span class="o">{</span> <span class="n">properties</span> <span class="o">{</span> <span class="n">property</span> <span class="s2">"sonar.coverage.JaCoCoxml.import"</span><span class="o">,</span> <span class="s2">"true"</span> <span class="n">property</span> <span class="s2">"sonar.java.coveragePlugin"</span><span class="o">,</span> <span class="s2">"JaCoCo"</span> <span class="n">property</span> <span class="s2">"sonar.coverage.JaCoCo.xmlReportPaths"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_COVERAGE_JaCoCo_XML_REPORT_PATH"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.coverage.JaCoCo.xmlReportPaths"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.projectKey"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectKey"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.organization"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_ORGANIZATION_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.organization"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.projectName"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_NAME"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectName"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.token"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_TOKEN"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.token"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.host.url"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_HOST_URL"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.host.url"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.coverage.exclusions"</span><span class="o">,</span> <span class="s2">"**/config/**,**/mapper/**,**/model/**,**/exception/**"</span> <span class="o">}</span> <span class="o">}</span> <span class="n">JaCoCo</span> <span class="o">{</span> <span class="n">toolVersion</span> <span class="o">=</span> <span class="s2">"0.8.12"</span> <span class="o">}</span> <span class="n">JaCoCoTestReport</span> <span class="o">{</span> <span class="n">dependsOn</span> <span class="n">test</span> <span class="n">reports</span> <span class="o">{</span> <span class="n">xml</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">html</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">csv</span><span class="o">.</span><span class="na">required</span> <span class="o">=</span> <span class="kc">false</span> <span class="o">}</span> <span class="n">afterEvaluate</span> <span class="o">{</span> <span class="n">classDirectories</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">files</span><span class="o">(</span><span class="n">classDirectories</span><span class="o">.</span><span class="na">files</span><span class="o">.</span><span class="na">collect</span> <span class="o">{</span> <span class="n">fileTree</span><span class="o">(</span><span class="nl">dir:</span> <span class="n">it</span><span class="o">,</span> <span class="nl">exclude:</span> <span class="o">[</span><span class="s1">'**/config/**'</span><span class="o">,</span> <span class="s1">'**/model/**'</span><span class="o">,</span> <span class="s1">'**/exception/**'</span><span class="o">,</span> <span class="s1">'**/mapper/**'</span><span class="o">])</span> <span class="o">}))</span> <span class="o">}</span> <span class="o">}</span> <span class="n">JaCoCoTestCoverageVerification</span> <span class="o">{</span> <span class="n">dependsOn</span> <span class="n">JaCoCoTestReport</span> <span class="n">violationRules</span> <span class="o">{</span> <span class="n">rule</span> <span class="o">{</span> <span class="n">enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="n">element</span> <span class="o">=</span> <span class="s1">'BUNDLE'</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'LINE'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'BRANCH'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.65</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'METHOD'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="n">limit</span> <span class="o">{</span> <span class="n">counter</span> <span class="o">=</span> <span class="s1">'CLASS'</span> <span class="n">value</span> <span class="o">=</span> <span class="s1">'COVEREDRATIO'</span> <span class="n">minimum</span> <span class="o">=</span> <span class="mf">0.90</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">afterEvaluate</span> <span class="o">{</span> <span class="n">classDirectories</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">files</span><span class="o">(</span><span class="n">classDirectories</span><span class="o">.</span><span class="na">files</span><span class="o">.</span><span class="na">collect</span> <span class="o">{</span> <span class="n">fileTree</span><span class="o">(</span><span class="nl">dir:</span> <span class="n">it</span><span class="o">,</span> <span class="nl">exclude:</span> <span class="o">[</span><span class="s1">'**/config/**'</span><span class="o">,</span> <span class="s1">'**/model/**'</span><span class="o">,</span> <span class="s1">'**/exception/**'</span><span class="o">,</span> <span class="s1">'**/mapper/**'</span><span class="o">])</span> <span class="o">}))</span> <span class="o">}</span> <span class="o">}</span> <span class="n">tasks</span><span class="o">.</span><span class="na">named</span><span class="o">(</span><span class="s1">'test'</span><span class="o">)</span> <span class="o">{</span> <span class="n">useJUnitPlatform</span><span class="o">()</span> <span class="n">finalizedBy</span> <span class="n">JaCoCoTestReport</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>Test package</strong> structure</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmteczwmyab9q1tli4est.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmteczwmyab9q1tli4est.png" alt="Intellij IDEA project test ctructure" width="644" height="452"></a></p> <p> <br>  </p> <p>We need to add the <strong>“data.sql”</strong> file. This script inserts testing data into the database. You can access them while running tests.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">users</span> <span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">email</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="s1">'alice'</span><span class="p">,</span> <span class="s1">'alice@example.com'</span><span class="p">),</span> <span class="p">(</span><span class="mi">11</span><span class="p">,</span> <span class="s1">'bob'</span><span class="p">,</span> <span class="s1">'bob@example.com'</span><span class="p">);</span> </code></pre> </div> <p> <br>  </p> <p><strong>UseControllerTest</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@WebMvcTest</span><span class="o">(</span><span class="nc">UserController</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">class</span> <span class="nc">UserControllerTest</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">MockMvc</span> <span class="n">mockMvc</span><span class="o">;</span> <span class="nd">@MockBean</span> <span class="kd">private</span> <span class="nc">UserServiceImpl</span> <span class="n">userService</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUser_shouldReturnUserDto_whenUserExists</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// Arrange</span> <span class="nc">Integer</span> <span class="n">userId</span> <span class="o">=</span> <span class="mi">1</span><span class="o">;</span> <span class="nc">UserDto</span> <span class="n">userDto</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserDto</span><span class="o">(</span><span class="n">userId</span><span class="o">,</span> <span class="s">"jane_doe"</span><span class="o">,</span> <span class="s">"jane@example.com"</span><span class="o">);</span> <span class="n">when</span><span class="o">(</span><span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">)).</span><span class="na">thenReturn</span><span class="o">(</span><span class="n">userDto</span><span class="o">);</span> <span class="c1">// Act and Assert</span> <span class="n">mockMvc</span><span class="o">.</span><span class="na">perform</span><span class="o">(</span><span class="n">get</span><span class="o">(</span><span class="s">"/users/{id}"</span><span class="o">,</span> <span class="n">userId</span><span class="o">)</span> <span class="o">.</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">))</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">status</span><span class="o">().</span><span class="na">isOk</span><span class="o">())</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">jsonPath</span><span class="o">(</span><span class="s">"$.id"</span><span class="o">).</span><span class="na">value</span><span class="o">(</span><span class="n">userDto</span><span class="o">.</span><span class="na">getId</span><span class="o">()))</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">jsonPath</span><span class="o">(</span><span class="s">"$.username"</span><span class="o">).</span><span class="na">value</span><span class="o">(</span><span class="n">userDto</span><span class="o">.</span><span class="na">getUsername</span><span class="o">()))</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">jsonPath</span><span class="o">(</span><span class="s">"$.email"</span><span class="o">).</span><span class="na">value</span><span class="o">(</span><span class="n">userDto</span><span class="o">.</span><span class="na">getEmail</span><span class="o">()));</span> <span class="n">verify</span><span class="o">(</span><span class="n">userService</span><span class="o">).</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUser_shouldReturn500_whenUserServiceThrowsException</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// Arrange</span> <span class="nc">Integer</span> <span class="n">userId</span> <span class="o">=</span> <span class="mi">999</span><span class="o">;</span> <span class="n">when</span><span class="o">(</span><span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">))</span> <span class="o">.</span><span class="na">thenThrow</span><span class="o">(</span><span class="k">new</span> <span class="nc">NoSuchElementException</span><span class="o">(</span><span class="s">"User not found with id: "</span> <span class="o">+</span> <span class="n">userId</span><span class="o">));</span> <span class="c1">// Act and Assert</span> <span class="n">mockMvc</span><span class="o">.</span><span class="na">perform</span><span class="o">(</span><span class="n">get</span><span class="o">(</span><span class="s">"/users/{id}"</span><span class="o">,</span> <span class="n">userId</span><span class="o">)</span> <span class="o">.</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">))</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">status</span><span class="o">().</span><span class="na">is4xxClientError</span><span class="o">());</span> <span class="n">verify</span><span class="o">(</span><span class="n">userService</span><span class="o">).</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>UserDaoImplTest</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@JdbcTest</span> <span class="nd">@TestPropertySource</span><span class="o">(</span><span class="n">properties</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"spring.datasource.url=jdbc:h2:mem:testdb;DB_CLOSE_DELAY=-1"</span><span class="o">,</span> <span class="s">"spring.datasource.driver-class-name=org.h2.Driver"</span> <span class="o">})</span> <span class="kd">class</span> <span class="nc">UserDaoImplTest</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">DataSource</span> <span class="n">dataSource</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">UserDaoImpl</span> <span class="n">userDao</span><span class="o">;</span> <span class="nd">@BeforeEach</span> <span class="kt">void</span> <span class="nf">setUp</span><span class="o">()</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">userDao</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserDaoImpl</span><span class="o">(</span><span class="n">dataSource</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUserById_shouldReturnUser_whenUserExists</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Arrange</span> <span class="kt">int</span> <span class="n">userId</span> <span class="o">=</span> <span class="mi">10</span><span class="o">;</span> <span class="c1">// Act</span> <span class="kt">var</span> <span class="n">userOpt</span> <span class="o">=</span> <span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="c1">// Assert</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">userOpt</span><span class="o">).</span><span class="na">isPresent</span><span class="o">();</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userOpt</span><span class="o">.</span><span class="na">get</span><span class="o">();</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getId</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"alice"</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getEmail</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"alice@example.com"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUserById_shouldReturnEmpty_whenUserDoesNotExist</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Act</span> <span class="kt">var</span> <span class="n">userOpt</span> <span class="o">=</span> <span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="mi">999</span><span class="o">);</span> <span class="c1">// Assert</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">userOpt</span><span class="o">).</span><span class="na">isEmpty</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUserById_shouldReturnEmpty_whenIdIsNull</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Assert and Act</span> <span class="n">assertThatException</span><span class="o">()</span> <span class="o">.</span><span class="na">isThrownBy</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="kc">null</span><span class="o">))</span> <span class="o">.</span><span class="na">isInstanceOf</span><span class="o">(</span><span class="nc">DaoException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">withMessage</span><span class="o">(</span><span class="s">"SQL error"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>UserServiceImplTest</strong></p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@ExtendWith</span><span class="o">(</span><span class="nc">MockitoExtension</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">class</span> <span class="nc">UserServiceImplTest</span> <span class="o">{</span> <span class="nd">@Mock</span> <span class="kd">private</span> <span class="nc">UserDao</span> <span class="n">userDao</span><span class="o">;</span> <span class="nd">@Mock</span> <span class="kd">private</span> <span class="nc">UserMapper</span> <span class="n">userMapper</span><span class="o">;</span> <span class="nd">@InjectMocks</span> <span class="kd">private</span> <span class="nc">UserServiceImpl</span> <span class="n">userService</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">test_whenGetUserById_shouldReturnUserDto_whenUserExists</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Arrange</span> <span class="nc">Integer</span> <span class="n">userId</span> <span class="o">=</span> <span class="mi">1</span><span class="o">;</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="o">(</span><span class="n">userId</span><span class="o">,</span> <span class="s">"john_doe"</span><span class="o">,</span> <span class="s">"john@example.com"</span><span class="o">);</span> <span class="nc">UserDto</span> <span class="n">userDto</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserDto</span><span class="o">(</span><span class="n">userId</span><span class="o">,</span> <span class="s">"john_doe"</span><span class="o">,</span> <span class="s">"john@example.com"</span><span class="o">);</span> <span class="n">when</span><span class="o">(</span><span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">)).</span><span class="na">thenReturn</span><span class="o">(</span><span class="nc">Optional</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">user</span><span class="o">));</span> <span class="n">when</span><span class="o">(</span><span class="n">userMapper</span><span class="o">.</span><span class="na">toDto</span><span class="o">(</span><span class="n">user</span><span class="o">)).</span><span class="na">thenReturn</span><span class="o">(</span><span class="n">userDto</span><span class="o">);</span> <span class="c1">// Act</span> <span class="nc">UserDto</span> <span class="n">result</span> <span class="o">=</span> <span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="c1">// Assert</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">result</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="n">userDto</span><span class="o">);</span> <span class="n">verify</span><span class="o">(</span><span class="n">userDao</span><span class="o">).</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="n">verify</span><span class="o">(</span><span class="n">userMapper</span><span class="o">).</span><span class="na">toDto</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">test_whenGetUserById_shouldThrowNoSuchElementException_whenUserNotFound</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Arrange</span> <span class="nc">Integer</span> <span class="n">userId</span> <span class="o">=</span> <span class="mi">999</span><span class="o">;</span> <span class="n">when</span><span class="o">(</span><span class="n">userDao</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">)).</span><span class="na">thenReturn</span><span class="o">(</span><span class="nc">Optional</span><span class="o">.</span><span class="na">empty</span><span class="o">());</span> <span class="c1">// Act and Assert</span> <span class="n">assertThatThrownBy</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">))</span> <span class="o">.</span><span class="na">isInstanceOf</span><span class="o">(</span><span class="nc">NoSuchElementException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">hasMessage</span><span class="o">(</span><span class="s">"User not found with id: "</span> <span class="o">+</span> <span class="n">userId</span><span class="o">);</span> <span class="n">verify</span><span class="o">(</span><span class="n">userDao</span><span class="o">).</span><span class="na">getUserById</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> <span class="n">verify</span><span class="o">(</span><span class="n">userMapper</span><span class="o">,</span> <span class="n">never</span><span class="o">()).</span><span class="na">toDto</span><span class="o">(</span><span class="n">any</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">getUserById_shouldHandleNullId</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Act and Assert</span> <span class="n">assertThatThrownBy</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="n">userService</span><span class="o">.</span><span class="na">getUserById</span><span class="o">(</span><span class="kc">null</span><span class="o">))</span> <span class="o">.</span><span class="na">isInstanceOf</span><span class="o">(</span><span class="nc">NullPointerException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">hasMessage</span><span class="o">(</span><span class="s">"id must not be null"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p><strong>Update “build.yml” file.</strong><br> Add <strong>test_and_coverage</strong> next to the <strong>build</strong> job.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">test_and_coverage</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test and Coverage</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">eclipse-temurin:17-jdk</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests with coverage</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew JaCoCoTestCoverageVerification</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload test results</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-coverage-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">build'</span> <span class="na">overwrite</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p> <br>  </p> <p>Add the <strong>test_and_coverage</strong> job after the <strong>build</strong> job under the needs section for the <strong>sast</strong> job. <br> This configuration ensures that the sast job will wait until the <strong>build</strong> and <strong>test_and_coverage</strong> jobs have completed their execution.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">sast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">test_and_coverage</span> </code></pre> </div> <p> <br>  </p> <p>Add these two <strong>sast</strong> steps after the <strong>“Cache SonarQube packages”</strong> step. First one download the <strong>JaCoCo report</strong> saved by the previous <strong>test_and_coverage</strong> job execution. The second one is to check if the report exists.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download JaCoCo report</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-coverage-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify report exists</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ls -la ./reports/JaCoCo/test</span> </code></pre> </div> <p> <br>  </p> <p>Complete <strong>“build.yml”</strong> file.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">main'</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">branch-name-policy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">branch-name-policy</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check PR source branch name</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "${{ github.event_name }}" = "pull_request" ]; then</span> <span class="s">BRANCH="${{ github.head_ref }}"</span> <span class="s">else</span> <span class="s">BRANCH="${{ github.ref_name }}"</span> <span class="s">fi</span> <span class="s">echo "PR head ref: $BRANCH"</span> <span class="s">if [[ "$BRANCH" =~ ^(release/|hotfix/|feature/|bugfix/|test|main).* ]]; then</span> <span class="s">echo "Allowed branch pattern: $BRANCH"</span> <span class="s">exit 0</span> <span class="s">else</span> <span class="s">echo "::error ::Branch name '$BRANCH' is not allowed to merge into main. Allowed patterns: release/*, hotfix/*, feature/*, bugfix/*, test*"</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">eclipse-temurin:17-jdk</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew build -x test</span> <span class="na">test_and_coverage</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test and Coverage</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">eclipse-temurin:17-jdk</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests with coverage</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew JaCoCoTestCoverageVerification</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload test results</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-coverage-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">build'</span> <span class="na">overwrite</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">5</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">test_and_coverage</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code to docker ubuntu container</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache SonarQube packages</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.sonar/cache</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="s">${{ runner.os }}-sonar</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download JaCoCo report</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-coverage-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify report exists</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ls -la ./reports/JaCoCo/test</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarQube Scan</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> <span class="na">SONAR_HOST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_HOST_URL }}</span> <span class="na">SONAR_ORGANIZATION_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_ORGANIZATION_KEY }}</span> <span class="na">SONAR_PROJECT_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_KEY }}</span> <span class="na">SONAR_PROJECT_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_PROJECT_NAME }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew sonar --info</span> </code></pre> </div> <p> <br>  </p> <p>Push the changes to the remote branch and check the state of the <strong>Pull Request’s</strong> jobs execution results. The pipeline <strong>failed</strong> because one last piece is missing.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs7vzvaidvey1a26p4bu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs7vzvaidvey1a26p4bu.png" alt="GitHub new PR changes failed again" width="800" height="749"></a></p> <p> <br>  </p> <p>We need to add the <strong>JaCoCo</strong> test coverage report path in the <strong>SonarQube configuration</strong> for this project. This can be done by navigating to the <strong>SonarQube project</strong>, <strong>Administration</strong>, located in the bottom-left corner, and then <strong>General Settings</strong>. Paste <strong>reports/JaCoCo/test/JaCoCoTestReport.xml</strong> and click <strong>save</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvb3616do9gf6wn0j75mh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvb3616do9gf6wn0j75mh.png" alt="SonarQube JaCoCo xml report path configuration" width="800" height="435"></a></p> <p> <br>  </p> <p>Go to <strong>GitHub</strong>, click on the <strong>SoarQube job</strong> to navigate to the <strong>GitHub Actions page</strong>. Click on the <strong>Sonar job</strong> and re-run the job.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbcjaf3s7vq5saz76dmlr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbcjaf3s7vq5saz76dmlr.png" alt="GitHub Actions rerun job page" width="800" height="442"></a></p> <p> <br>  </p> <p>Now all jobs have <strong>passed</strong>.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92lomxv3x29j0f4cauve.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92lomxv3x29j0f4cauve.png" alt="GitHub Actions all jobs passed after rerun" width="800" height="495"></a></p> <p> <br>  </p> <p>Return to the <strong>Pull Request</strong> page, and now you can merge the changes to the <strong>main</strong> branch.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jm2j3p322zvcjw76gh6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jm2j3p322zvcjw76gh6.png" alt="GitHub PR all jobs passed and avilable for merging" width="800" height="672"></a></p> <p> <br>  </p> <p>Merge the changes, and verify that all jobs pass after merging to the main branch.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9dy4egifejyjw7kjj5o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9dy4egifejyjw7kjj5o.png" alt="GitHub main branch all jobs passed icon" width="800" height="509"></a></p> <p> <br>  </p> <p>Verify that <strong>test coverage</strong> appears on the <strong>SonarQube project</strong>. It shows the overall test coverage percentage. If you need charts on code coverage, click on the project and select the <strong>Coverage header</strong> at the top of the <strong>“Main Branch Evolution”</strong> section.</p> <p> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuzon4hiz46o5usyopo6e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuzon4hiz46o5usyopo6e.png" alt="SonarQube test coverage appear on the screen" width="800" height="239"></a></p> <p> <br>  </p> <h2> Conclusion </h2> <p>Effective <strong>SAST</strong> implementation has to be smoothly integrated into your development and deployment processes. This article demonstrates how to maximize the benefits of SonarCloud, including local scanning with <strong>IntelliJ IDEA</strong> and <strong>Docker</strong>, integrating scans with <strong>GitHub Actions pipelines</strong>, and enhancing code coverage through unit testing and the <strong>JaCoCo plugin</strong>.</p> <p>You can keep your codebase secure and prevent vulnerabilities from reaching production by enforcing quality gates and managing false positives. By implementing these practices in your <strong>SSDLC</strong>, you are not only strengthening the security but also establishing an environment of quality and accountability within your development teams.</p> <p>Start applying these steps today to improve software security with continuous and automated <strong>SAST</strong>.</p> <p> <br>  </p> <h2> Links </h2> <ul> <li> <strong>SonarQube Cloud</strong> - <a href="https://sonarcloud.io/" rel="noopener noreferrer">https://sonarcloud.io/</a> </li> <li> <strong>SonarQube documentation</strong> - <a href="https://docs.sonarsource.com/" rel="noopener noreferrer">https://docs.sonarsource.com/</a> </li> <li> <strong>GitHub repository</strong> - <a href="https://github.com/VardanMatevosyan/sonarqube_actions_demo" rel="noopener noreferrer">https://github.com/VardanMatevosyan/sonarqube_actions_demo</a> </li> </ul> <p> <br>  </p> <p>Originally published on my personal blog: <a href="https://matevosian.tech/blog/post/sast-part3-automation-scanning" rel="noopener noreferrer">https://matevosian.tech/blog/post/sast-part3-automation-scanning</a></p> <p> <br>  </p> security devops java cicd Catch vulnerabilities before they ship: local SonarQube setup (Part 2) Vardan Matevosian Tue, 09 Dec 2025 12:05:00 +0000 https://dev.to/vardan_matevosian_tech/catch-vulnerabilities-before-they-ship-local-sonarqube-setup-part-2-1ad3 https://dev.to/vardan_matevosian_tech/catch-vulnerabilities-before-they-ship-local-sonarqube-setup-part-2-1ad3 <p> </p> <p><span><em>Note: Click on the image to see a larger (original) version.</em></span></p> <p> </p> <h2> <strong>Introduction</strong> </h2> <p>Static Application Security Testing (<strong>SAST</strong>) is a crucial practice within the Software Security Development Life Cycle (<strong>SSDLC</strong>) that enables developers to identify security vulnerabilities early in the code development phase. While understanding the concepts of <strong>SAST</strong> is important, implementing it effectively in real-world projects is what ensures robust and secure software delivery.</p> <p>In this second part of our <strong>SAST</strong> series, we focus on integrating the <strong>SonarQube Cloud</strong>, a popular static analysis tool, into the IntelliJ IDEA and running it using Docker. </p> <p>We will explore:</p> <ul> <li>SonarQube Cloud for SAST</li> <li>Local scanning with SonarQube Cloud via IntelliJ IDEA</li> <li>Local scanning using Docker Compose with SonarQube image</li> </ul> <p>Tools:</p> <ul> <li>SonarQube Cloud</li> <li>Spring Boot</li> <li>IntelliJ IDEA</li> <li>Docker-Compose</li> </ul> <p>Prerequisites:</p> <ul> <li><p>Create a Spring Boot project using IntelliJ IDEA or the Spring Boot Initializr at <a href="https://start.spring.io/" rel="noopener noreferrer">https://start.spring.io/</a>.</p></li> <li><p>Click <strong>Next</strong> and generate the project without dependencies.</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc07bbpqat146eju2p876.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc07bbpqat146eju2p876.png" alt="New Spring Boot project in IntelliJ EDIA" width="744" height="636"></a></p> <p> <br>  </p> <h2> SonarQube Cloud for SAST </h2> <p>SonarQube Cloud offers a hassle-free way to start static code analysis without managing your own infrastructure. It provides cloud-hosted scanning capabilities that analyze code quality, security vulnerabilities, bugs, and code smells.</p> <p> <br>  </p> <h3> Setting Up SonarQube Cloud </h3> <ol> <li> <strong>Create an account:</strong> Visit SonarQube’s official website and sign up for a free or paid cloud account.</li> <li> <strong>Create a new project:</strong> Once logged in, create a new project by providing your repository details.</li> <li> <strong>Generate an authentication token:</strong> For integrating scanning tools, generate a security token from your account settings. We must store it in a secret place, like in the GitHub Actions environment or repository secret.</li> <li> <strong>Configure project settings:</strong> We need to set Quality Gates, SLAs, and rules according to our security policy. For a free account, we cannot create the Quality Gates; we must use the default one.</li> </ol> <p>SonarQube Cloud then becomes the central place to view detailed security reports and code quality metrics.</p> <p> <br>  </p> <h3> Overview of SonarQube’s cloud capabilities for static code analysis </h3> <p> <br>  </p> <p>SonarCloud is a fully managed SaaS platform for continuous static code analysis, designed to detect code quality issues, security vulnerabilities, and maintainability risks across modern software projects. It provides code coverage plugin integration that is used by 30+ different programming languages, including Java, Python, C#, JavaScript, TypeScript, and Go.</p> <p><strong>Capabilities</strong>:</p> <ul> <li> <p><strong>Cloud-hosted and fully managed:</strong> SonarCloud removes the need for installation, hosting, or maintenance. This allows teams to focus solely on development and CI/CD pipelines. Use the cloud version if your company does not work under compliance regulations.</p> <p>SonarSource manages:</p> <ul> <li>uptime</li> <li>scaling</li> <li>rule updates</li> <li>language analyzers</li> <li>security patches</li> </ul> </li> <li> <p><strong>Deep Static Code Analysis:</strong> SonarCloud performs comprehensive static analysis across many dimensions:</p> <ul> <li>Bug Detection. Identifies code paths that can lead to crashes, incorrect logic, or unintended behavior.</li> <li>Security vulnerability detection. Finds CWE-based, OWASP-aligned issues such as: <ul> <li>SQL Injection</li> <li>Path traversal</li> <li>Input validation issues</li> <li>Hardcoded secrets</li> <li>Command injection</li> <li>Code Smells. Flags maintainability issues, duplicated code, bad design, and anti-patterns.</li> </ul> </li> <li>Cognitive Complexity. Measures how difficult code is to understand and maintain.</li> <li>Multi-language support. Supports 30+ languages, including Java, Python, JavaScript, TypeScript, Go, C#, Kotlin, PHP, Terraform, YAML, and more.</li> </ul> </li> <li> <p><strong>Seamless CI/CD integration</strong>: SonarCloud integrates natively with:</p> <ul> <li>CI providers: <ul> <li>GitHub Actions</li> <li>Azure Pipelines</li> <li>Bitbucket Pipelines</li> <li>GitLab CI</li> </ul> </li> <li>Build tools: SonarQube provides integrations with build tools. For example, in our case, the Gradle Sonar plugin is used to run Sonar Scanner in the CI/CD pipeline.</li> </ul> </li> <li><p><strong>Pull request and branch analysis:</strong> SonarCloud performs inline analysis during PR reviews, preventing issues from reaching the main branch. The free plan does not support this.</p></li> <li> <p><strong>Quality Gates:</strong> A Quality Gate defines the rules that code must satisfy before being merged. If a PR <span>fails</span> the Quality Gate, the CI pipeline can block the merge. Adding custom Quality Gates is not supported by the free plan.</p> <p>Default checks include:</p> <ul> <li>No new critical or blocker issues.</li> <li>Code coverage must meet a minimum threshold.</li> <li>No new bugs or security vulnerabilities.</li> <li>No new code duplications.</li> </ul> </li> <li><p><strong>Test coverage and code metrics:</strong> SonarCloud provides overall coverage and new code coverage, for example, for a specific PR or branch.</p></li> <li> <p><strong>Organization and project dashboards:</strong> SonarCloud provides rich dashboards for:</p> <ul> <li>Centralized issue tracking.</li> <li>Historical trend charts for issues, code coverage, and duplications.</li> <li>Hotspot security review.</li> <li>Code coverage progress.</li> <li>History of activities for each branch or PR.</li> </ul> </li> <li> <p><strong>Notifications and integrations:</strong> Supports notifications via:</p> <ul> <li>GitHub checks.</li> <li>GitLab merge requests.</li> <li>Slack.</li> <li>Email.</li> <li>Webhooks.</li> </ul> </li> <li><p><strong>Open APIs and extensions:</strong> SonarQube provides APIs to build custom dashboards and export metrics.</p></li> </ul> <p> <br>  </p> <h2> Local scanning with SonarQube Cloud via IntelliJ IDEA </h2> <p>Running local scans during development helps catch issues early before code is committed.</p> <p> </p> <h3> Installing and configuring the SonarQube plugin in IntelliJ IDEA </h3> <ol> <li>Open IntelliJ IDEA.</li> <li>Navigate to <strong>File &gt; Settings &gt; Plugins</strong> and search for the "SonarQube" plugin.</li> <li>Install and restart the <strong>IDE</strong>. It must appear in the <strong>“Installed”</strong> section.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4jajteiwt0oi4e45myq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4jajteiwt0oi4e45myq.png" alt="SonarQube plugin isntallation in IntelliJ" width="705" height="517"></a></p> <p> <br>  </p> <ol> <li>Generate the authentication Sonar token. Go to the SonarCloud website, then My Account &gt; Security &gt; Generate Token, or click on this link <a href="https://sonarcloud.io/account/security/" rel="noopener noreferrer">https://sonarcloud.io/account/security/</a>, and you will be redirected to the token generation page. Enter the name of the token, typically where you want to use it, and click the “Generate Token” button.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvn7kh7osyq8ym6piv0bi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvn7kh7osyq8ym6piv0bi.png" alt="SonarQube cloud security tab" width="710" height="522"></a></p> <p> <br>  </p> <ol> <li>Configure the plugin by adding your SonarQube Cloud server URL and authentication token. Click on the SonarQube plugin icon, then select the gear icon, as shown in the screenshot.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flu9tiko4omcb2h2znuq6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flu9tiko4omcb2h2znuq6.png" alt="IntelliJ SonarQube plugin icon" width="800" height="363"></a></p> <p> <br>  </p> <p>Enter the Project key of your SonarQube project and click “Configure the connection”.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuasp34yysvftud0nzobz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuasp34yysvftud0nzobz.png" alt="IntelliJ SonarQube plugin configuration 1" width="800" height="337"></a></p> <p> <br>  </p> <p>You will see the Connection section, click the plus to add a new connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foie6px14di0ukwgt0iky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foie6px14di0ukwgt0iky.png" alt="IntelliJ SonarQube plugin configuration 2" width="800" height="494"></a></p> <p> <br>  </p> <p>Enter the name of the connection and click “Next”.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmo5pf3m6y7lm5tlbpfb8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmo5pf3m6y7lm5tlbpfb8.png" alt="IntelliJ SonarQube plugin configuration 3" width="800" height="336"></a></p> <p> <br>  </p> <p>Paste the generated token, or you can even create the token from this IDE window. Click “Next”, and the IDE will attempt to connect to <strong>Sonar Cloud</strong>. You will see that authentication is <span>successful</span> if the connection is established.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbkoqzfpdoy1c6i3n3acb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbkoqzfpdoy1c6i3n3acb.png" alt="IntelliJ SonarQube plugin configuration 4" width="800" height="336"></a></p> <p> <br>  </p> <h3> Running local scans </h3> <p> <br>  </p> <p>After configuration, you can run <strong>SonarQube</strong> scans directly from the IDE. The plugin highlights issues inline and provides quick access to detailed analysis reports. Click <strong>“Analyze All Project Files”</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffx5gj8qn3g223sastwqm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffx5gj8qn3g223sastwqm.png" alt="IntelliJ SonarQube plugin analyze project 1" width="800" height="287"></a></p> <p> <br>  </p> <p>You can see the results. In this case, it found the token in the gradle-local.properties file, which is ignored by the <strong>.gitignore file</strong>, and it is only for local purposes. However, you will still see it unless you exclude it from scanning. This plugin also allows you to do it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fho72wkt45lsdk84kfxb5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fho72wkt45lsdk84kfxb5.png" alt="IntelliJ SonarQube plugin analyze project 2" width="800" height="271"></a></p> <p> <br>  </p> <p>Below you can see the result of this specific finding. Additionally, the plugin provides information on why this issue occurs and how to resolve it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1wijbjxq9o13918ts2vv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1wijbjxq9o13918ts2vv.png" alt="IntelliJ SonarQube plugin analyze project 3" width="800" height="413"></a></p> <p> <br>  </p> <p>Benefits of local scanning:</p> <ul> <li>Immediate feedback on security and quality issues.</li> <li>Reduces the likelihood of pushing vulnerable code.</li> <li>Saves time by fixing problems early in the development workflow.</li> </ul> <p> </p> <h2> Local scanning using Docker Compose with SonarQube image </h2> <p>If you prefer running SonarQube locally, Docker provides an easy setup that eliminates the need for complex installation.</p> <p> </p> <h3> Setting up SonarQube locally via Docker Compose </h3> <p>Create a <strong>“docker-compose.yml”</strong> file with the following content:</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code> version: "3.9" services: sonarqube: image: sonarqube:latest ports: - "9000:9000" environment: SONAR_ES_BOOTSTRAP_CHECKS_DISABLE: "true" volumes: - sonarqube_data:/opt/sonarqube/data - sonarqube_extensions:/opt/sonarqube/extensions volumes: sonarqube_data: sonarqube_extensions: </code></pre> </div> <p> <br>  </p> <p>Here is the <strong>gradle-local.properties</strong> file.</p> <p>Place it in the root of the project and add it to the <strong>.gitignore</strong>.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code> <span class="py">systemProp.sonar.qualitygate.wait</span><span class="p">=</span><span class="s">true</span> <span class="py">sonar.projectKey</span><span class="p">=</span><span class="s">sonarqube_actions_demo_key</span> <span class="py">sonar.organization</span><span class="p">=</span><span class="s">local-organization</span> <span class="py">sonar.projectName</span><span class="p">=</span><span class="s">sonarqube_actions_demo</span> <span class="py">sonar.token</span><span class="p">=</span><span class="s">sqp_b7dc6e025b58eb7455b11c6c468cda2b79eb6450b</span> <span class="py">sonar.host.url</span><span class="p">=</span><span class="s">http://localhost:9000</span> <span class="py">sonar.coverage.jacoco.xmlReportPaths</span><span class="p">=</span><span class="s">build/reports/jacoco/test/jacocoTestReport.xml</span> </code></pre> </div> <p> <br>  </p> <p>Gradle configuration. The SonarQube plugin is required.</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">plugins</span> <span class="o">{</span> <span class="n">id</span> <span class="s1">'java'</span> <span class="n">id</span> <span class="s2">"org.sonarqube"</span> <span class="n">version</span> <span class="s2">"7.0.0.6105"</span> <span class="n">id</span> <span class="s1">'jacoco'</span> <span class="n">id</span> <span class="s1">'org.springframework.boot'</span> <span class="n">version</span> <span class="s1">'3.0.0'</span> <span class="n">id</span> <span class="s1">'io.spring.dependency-management'</span> <span class="n">version</span> <span class="s1">'1.1.7'</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p>SonarQube properties</p> <p> <br>  <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="kt">def</span> <span class="n">localProps</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Properties</span><span class="o">()</span> <span class="kt">def</span> <span class="n">localFile</span> <span class="o">=</span> <span class="n">file</span><span class="o">(</span><span class="s2">"gradle-local.properties"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">exists</span><span class="o">())</span> <span class="o">{</span> <span class="n">localProps</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">localFile</span><span class="o">.</span><span class="na">newDataInputStream</span><span class="o">())</span> <span class="o">}</span> <span class="n">sonar</span> <span class="o">{</span> <span class="n">properties</span> <span class="o">{</span> <span class="n">property</span> <span class="s2">"sonar.projectKey"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectKey"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.organization"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_ORGANIZATION_KEY"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.organization"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.projectName"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_PROJECT_NAME"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.projectName"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.token"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_TOKEN"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.token"</span><span class="o">]</span> <span class="n">property</span> <span class="s2">"sonar.host.url"</span><span class="o">,</span> <span class="n">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s2">"SONAR_HOST_URL"</span><span class="o">)</span> <span class="o">?:</span> <span class="n">localProps</span><span class="o">[</span><span class="s2">"sonar.host.url"</span><span class="o">]</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p> <br>  </p> <p>Run the following command to start the container: <strong>docker-compose up -d</strong>, or you can run it from your <strong>IntelliJ IDEA</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxz9qcxyxzt6kkystdox.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxz9qcxyxzt6kkystdox.png" alt="IntelliJ Docker-compose icon run" width="800" height="284"></a></p> <p> <br>  </p> <p>You can see the container is up and running</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvuoov0l31qkq5ysvxcyc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvuoov0l31qkq5ysvxcyc.png" alt="IntelliJ Docker container running" width="800" height="266"></a></p> <p> <br>  </p> <p>Access SonarQube dashboard at <a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a>. Login is <strong>admin</strong>, but you will need to change the password from admin to a new one.</p> <p>Click Create project from the top right corner.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc11kt3pekl595qfyjzh8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc11kt3pekl595qfyjzh8.png" alt="Local SonarQube create project menu" width="355" height="298"></a></p> <p> <br>  </p> <p>Enter the same name and project key as in your <strong>gradle-local.properties</strong> file. Then select to use the previous version.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd7k5hg6efsm6q0z3j293.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd7k5hg6efsm6q0z3j293.png" alt="Local SonarQube create project step 1" width="755" height="481"></a></p> <p> <br>  </p> <p>Choose <strong>Locally</strong> as the <strong>Analysis Method</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8db1yzo1hi7kbzhlszf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8db1yzo1hi7kbzhlszf.png" alt="Local SonarQube create project step 2" width="800" height="262"></a></p> <p> <br>  </p> <p>Type the name of the token and click Generate, then Continue, and set it in the <strong>gradle-local.properties</strong> file to the <strong>“sonar.token”</strong> property like<br> <br> <code>properties sonar.token=sqp_b7dc6e025b58eb7455b11c6c468cda2b79eb6450b</code><br> <br> .</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnmhadcx1lhsruvf7aude.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnmhadcx1lhsruvf7aude.png" alt="Local SonarQube create project token generation step 3" width="800" height="555"></a></p> <p> <br>  </p> <p>If you want to generate manually, you can do it as shown in the screenshot below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkhfd3jc67ygkut1bukgq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkhfd3jc67ygkut1bukgq.png" alt="Local SonarQube manual token generation" width="800" height="289"></a></p> <p> <br>  </p> <h3> Run the Sonar scan from the command line or from <strong>IntelliJ IDEA</strong> </h3> <p>Use this command <strong>./gradlew sonar --info</strong> or run from your <strong>IntelliJ IDEA</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wp1nc739zdw3hk02gx7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wp1nc739zdw3hk02gx7.png" alt="Gradle sonar local scanning command result" width="800" height="261"></a></p> <p> <br>  </p> <p>You can view the result by going to the Projects tab. The metrics and coverage are for the main branch only and show overall coverage and metrics. For more details about the new code analysis, click on the project.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiyzj2r3aqdditsq5td15.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiyzj2r3aqdditsq5td15.png" alt="Local SonarQube result on UI" width="800" height="134"></a></p> <p> <br>  </p> <h3> Comparing Local Docker Setup with Cloud Scanning </h3> <ul> <li>Cloud: No maintenance, scalable, accessible anywhere.</li> <li>Local Docker: Full control, ideal if you have no internet connection for an extended period but need to review scan results, useful for sensitive projects.</li> </ul> <p> <br>  </p> <h2> <strong>Conclusion</strong> </h2> <p>This article demonstrates how to maximize the benefits of SonarCloud by scanning locally with IntelliJ IDEA or Docker. This helps prevent insecure code from being pushed even to a feature branch and allows developers to work more productively.</p> <p> <br>  </p> <h2> <strong>Closing</strong> </h2> <p>This article covered SonarQube Cloud configuration and IntelliJ IDEA integration, as well as running SonarQube locally with Docker. In <strong>“Automating code security in CI/CD: SonarCloud SAST guide (Part 3)”</strong>, we will explore practical integration examples, configuration patterns, and <strong>CI/CD</strong> pipelines.</p> <p> <br>  </p> <h2> <strong>Links</strong> </h2> <ul> <li>SonarQube Cloud - <a href="https://sonarcloud.io/" rel="noopener noreferrer">https://sonarcloud.io/</a> </li> <li>SonarQube documentation - <a href="https://docs.sonarsource.com/" rel="noopener noreferrer">https://docs.sonarsource.com/</a> </li> </ul> <p>Originally published on my personal blog: <a href="https://matevosian.tech/blog/post/sast-part2-local-scanning" rel="noopener noreferrer">https://matevosian.tech/blog/post/sast-part2-local-scanning</a></p> security sast devsec sonarqube The Secret Behind SAST: The Security Blind Spot Developers Can’t Ignore (Part 1) Vardan Matevosian Sat, 06 Dec 2025 17:41:46 +0000 https://dev.to/vardan_matevosian_tech/the-secret-behind-sast-the-security-blind-spot-developers-cant-ignore-part-1-3n7m https://dev.to/vardan_matevosian_tech/the-secret-behind-sast-the-security-blind-spot-developers-cant-ignore-part-1-3n7m <h2> Itroduction </h2> <p>The first part of this article provides a robust theoretical foundation for understanding SAST and its importance in ensuring secure development. Additionally, the subsequent articles (Part 2, and Part 3) will delve into practical examples and effective implementation strategies.</p> <p>In the field of modern software engineering, it is not only required to provide features on time but also to ensure their security. As companies refine their Secure Software Development Life Cycle (SSDLC) strategies, one essential aspect that stands out is Static Application Security Testing (SAST).</p> <h2> What is SAST? </h2> <p>SAST, or Static Application Security Testing, refers to a type of security testing that identifies and addresses potential vulnerabilities in software code. SAST involves examining source code, bytecode, or binaries without running the actual application by scanning the codebase for known vulnerability patterns. </p> <p>Source code refers to the human-readable code written by developers.</p> <p>Bytecode refers to the compiled form of source code that a virtual machine or runtime can execute, which can be analyzed by SAST tools to detect errors, vulnerabilities, or performance issues before deployment. For example, in Java .class files – the compiled Java classes generated from .java source files.</p> <p>Binaries refer to compiled artifacts; in Java, these are typically .jar files, which are Java archives containing .class files and sometimes additional resources such as properties or XML files.</p> <p>This tool can detect security weaknesses early on, which covers bugs, code smells, and the latest at this moment, 2021 OWASP TOP 10 categories, such as:</p> <ul> <li><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/" rel="noopener noreferrer">A01:2021-Broken Access Control</a></li> <li><a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/" rel="noopener noreferrer">A02:2021-Cryptographic Failures</a></li> <li><a href="https://owasp.org/Top10/A03_2021-Injection/" rel="noopener noreferrer">A03:2021-Injection</a></li> <li><a href="https://owasp.org/Top10/A04_2021-Insecure_Design/" rel="noopener noreferrer">A04:2021-Insecure Design</a></li> <li><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" rel="noopener noreferrer">A05:2021-Security Misconfiguration</a></li> <li><a href="https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/" rel="noopener noreferrer">A06:2021-Vulnerable and Outdated Components</a></li> <li><a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/" rel="noopener noreferrer">A07:2021-Identification and Authentication Failures</a></li> <li><a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/" rel="noopener noreferrer">A08:2021-Software and Data Integrity Failures</a></li> <li><a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/" rel="noopener noreferrer">A09:2021-Security Logging and Monitoring Failures</a></li> <li><a href="https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/" rel="noopener noreferrer">A10:2021-Server-Side Request Forgery</a></li> </ul> <p>SAST tools analyze program components, including code structure, data flows, and control flows, to identify potential security vulnerabilities before the software is developed or deployed.</p> <p>Control flow refers to the order in which individual statements, instructions, or functions in a program are executed.</p> <p>Data flow refers to the movement of data through a program, specifically how values are assigned, modified, and passed between variables, functions, or modules. It defines how data travels and transforms during execution. One example is detecting tainted data. Tainted data refers to identifying untrusted or potentially dangerous input in a program that could flow into sensitive operations (called “sinks”) without proper validation or sanitization.</p> <p>Control flow determines the sequence of execution in a program, while data flow tracks how data values propagate and transform through that execution.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Control Flow</th> <th>Data flow</th> </tr> </thead> <tbody> <tr> <td>What it describes</td> <td>Execution order or decision paths</td> <td>How data moves and changes</td> </tr> <tr> <td>Examples</td> <td>Loops, conditionals, function calls</td> <td>Variable assignments, method parameters, and return values</td> </tr> <tr> <td>Use in SAST</td> <td>Detect unreachable code, infinite loops, and so on</td> <td>Detect tainted data, SQL injection, and logging sensitive info</td> </tr> </tbody> </table></div> <p>Some of the tools classified as SAST are:</p> <ul> <li>Semgrep, PMD, SpotBugs, and FindSecBugs - popular open-source tools for code analysis and bug detection.</li> <li>Fortify, Checkmarx, and Veracode - reliable enterprise solutions.</li> <li>Snyk, SonarQube Cloud, and GitHub CodeQL - cloud-based or SaaS tools.</li> </ul> <h2> The importance of SAST in secure development cannot be overstated. </h2> <p>Implementing SAST within SSDLC enables the efficient implementation of large-scale security measures by:</p> <ul> <li>Detecting problems early on</li> <li>Halting the advancement of vulnerable code through the pipeline, SAST minimizes both time and expense associated with remediation.</li> <li>Incorporating security earlier in the development process</li> <li>Feedback is provided to developers during the commit or pull request process while the context is still fresh, allowing for any necessary fixes to be made more easily.</li> <li>Promoting the education of developers.</li> <li>SAST findings facilitate the organic acquisition of secure coding patterns by developers, promoting the integration of security as a daily practice.</li> <li>Minimizing risk in the manufacturing process</li> </ul> <p>By addressing vulnerabilities early on in the SDLC or live systems, there is a lower occurrence of security incidents. Several compliance frameworks, such as ISO 27001, SOC2, and PCI DSS, require the inclusion of static security testing in secure development governance.</p> <h2> How to integrate SAST into CI/CD? </h2> <p>The integration of SAST into the development lifecycle is essential for its optimal effectiveness.</p> <p><strong>Developer local environment (can be optional, but recommended)</strong></p> <ul> <li>Run lightweight SAST tools locally (Semgrep, CodeQL CLI, Snyk CLI, SonarQube local server using Docker) or run IDE plugins such as SonarQube Cloud that can connect easily from the IDE to the SonarQube Cloud server before pushing code.</li> <li>Helps reduce noise in the CI pipeline or incidentally pushes sensitive data to the GIT repository.</li> </ul> <p><strong>Pull request (PR) and merge request (MR) stage</strong></p> <ul> <li>Protect the main branches from merging directly until all pipeline jobs are <strong>SUCCESSFUL</strong>. If Git Flow is used, protected branches typically are: <strong>dev</strong>, <strong>qa</strong>, or <strong>staging</strong>, <strong>pre-prod</strong>, and <strong>prod</strong>.</li> <li>Trigger a SAST scan on <strong>each PR/MR</strong>.</li> <li>Block merging if findings exceed severity thresholds, for example, by configuring Quality Gate in SonarQube or other severity-related policies. You can configure the CI/CD pipeline to <strong>FAIL</strong> if, for example, <strong>1 Critical</strong> and/or <strong>3 High</strong> vulnerabilities are detected.</li> <li>Use the SAST tool’s suggestions on how to resolve the issue.</li> <li>Investigate the findings to identify potential <strong>false positives</strong>. SAST scanners provide useful information about each vulnerability, making it easier to understand them.</li> </ul> <p><strong>CI pipeline</strong></p> <ul> <li>Add SAST as an early stage. Depends on the project; it can be after the build and test stage or before it, if only the source code is used to scan the project, but the recommended approach is to use it after, because you can configure it to scan for binaries or bytecode.</li> <li>Fail builds based on: <ul> <li>severity level (Low, Medium, High, Critical)</li> <li>the count of severity levels (for example, 20 Medium, 5 High, 2 Critical)</li> <li>security policy rules</li> <li>code smells</li> </ul> </li> </ul> <p><strong>Scheduled full scans</strong></p> <ul> <li>Run nightly or weekly deep scans on the entire codebase. For example, Snyk scans the project by default once a week and sends the report to the user’s email (this is a SaaS tool, and it depends on whether the company is allowed to send the codebase to other services for scanning for vulnerabilities). </li> <li>Capture findings not detected in incremental scans.</li> </ul> <p><strong>Governance</strong></p> <ul> <li>Export results into an issue tracker (such as Jira) or a SIEM (Security Information and Event Management) system. Some of the SAST tools allow the creation of an issue ticket in Jira.</li> <li> <p>Track remediation SLAs (Service Level Agreement) by severity:</p> <ul> <li>Critical issues fixed within <strong>24 hours</strong> </li> <li>High-severity fix within <strong>3 days</strong> </li> <li>Medium <strong>7–14 days</strong> </li> <li>Low <strong>30+ days</strong> </li> </ul> </li> <li><p>Maintain centralized dashboards (SonarQube, Snyk, DefectDojo).</p></li> </ul> <p>The key principle: <strong>SAST must become a non-negotiable quality gate</strong>, just like unit tests, linters, or build verifiers.</p> <h2> Why do some companies run SAST within CVS instead of SaaS tools? </h2> <p>While modern SaaS security platforms are powerful, many enterprises still <strong>run SAST inside their version-control system (CVS)</strong> or self-hosted environments. </p> <p><strong>Data protection and compliance</strong></p> <p>Source code is often the company’s most sensitive intellectual property.<br> Some industries, such as finance, defense, and telecom, cannot upload code to external SaaS due to:</p> <ul> <li>Data residency restrictions</li> <li>Regulatory constraints</li> <li>Confidentiality concerns</li> </ul> <p><strong>Full control and custom rules</strong></p> <p>Self-hosted SAST (SonarQube Enterprise, Checkmarx On-Premise) offers:</p> <ul> <li>Custom rule tuning for domain-specific patterns</li> <li>Control over scanner performance and scheduling</li> <li>On-prem log retention and audit trails</li> </ul> <p><strong>No external vendor dependency</strong><br> Large organizations want predictable SLAs and reliability without relying on external service uptime or rate limits. Companies often use cloud VMs (Virtual Machines) with autoscaling that make the server available even if one goes down, especially when all infrastructure is deployed on a specific cloud provider like AWS, Azure, and GCP. Still, it is more difficult to configure and maintain your own server compared to SaaS alternatives.</p> <p><strong>Cost optimization at scale</strong></p> <p>SaaS SAST tools are charged per seat or LOC (lines of code).<br> For large organizations with millions of LOC, on-premise licensing might be more efficient.<br> This doesn't make SaaS solutions inferior; they are excellent for small to mid-sized companies or teams that prefer zero maintenance overhead, but big enterprises often choose to keep scanning where the codebase is located or self-hosted.</p> <h2> How does SAST strengthen your application before deployment? </h2> <p>SAST adds many layers of security reinforcement before one line is deployed:</p> <ul> <li>Eliminates vulnerabilities at the earliest point. Fixing issues in development prevents vulnerabilities from ever entering later stages.</li> <li>Reduces attack surface. Every resolved injection flaw, every sanitized input, and every removed secret reduces the exploitable surface in production.</li> <li>Improved code quality. Most of the SAST rules lead to improved code clarity, design patterns, and maintainability.</li> <li>Drives security culture. SAST is an enabler of secure software development practices. Teams start thinking in terms of: <ul> <li>safe patterns</li> <li>least-privilege design</li> <li>secure defaults</li> <li>flow validation</li> </ul> </li> </ul> <p><strong>SAST best practices</strong></p> <p>To maximize the value of SAST in SSDLC:</p> <ul> <li>Start with a minimal and focused rule set. Avoid overwhelming developers. Enable rules progressively.</li> <li>Integrate into PR pipelines.</li> <li>Make SAST feedback part of the daily development routine.</li> <li>Use severity thresholds. These configurations can differ from company to company.</li> <li>Avoid false positives. Not all findings are equal; that is why you need to tune rules to reduce false positives. Even if the finding’s severity level is High and it may appear to be a serious issue, it depends on how the feature or script was implemented.</li> <li>Establish SLAs for remediation. For example: <ul> <li>Critical: fix within 1-2 days.</li> <li>High: fix within 5-7 days.</li> <li>Medium: fix within 30 days.</li> </ul> </li> <li>Combine with other AST tools. SAST is one part of the security puzzle. Always complement it with: <ul> <li>ISCA (dependency scanning), if the tool does not support it, or you can use the free trial version of the tool.</li> <li>WAF (Web Application Firewall) adds a defence layer in front of your application by filtering and monitoring HTTP/HTTPS traffic.</li> </ul> </li> </ul> <p>WAF does not replace SAST or DAST. It can block known attack patterns, mitigate exploitation attempts before fixes are deployed, provide real-time protection in production, and prevent DDoS attacks.</p> <ul> <li>DAST (Dynamic Application Security Testing). Scan the <strong>DEV</strong> or <strong>QA</strong> environment, because <strong>DAST</strong> is used when the application is up and running. Effective DAST can be performed in two phases:</li> </ul> <p><strong>Automated scanning</strong> — baseline detection of common runtime vulnerabilities.</p> <p><strong>Manual exploratory testing</strong> — for issues that automated tools often miss (logic flaws, authorization bypasses, etc.). Not all vulnerabilities can be discovered by SAST alone, which is why DAST is an important complement.</p> <ul> <li>Ensure DevSecOps collaboration. Security engineers, platform teams, and developers must collaborate on: <ul> <li>rule tuning</li> <li>prioritization</li> <li>education</li> </ul> </li> </ul> <h2> Conclusion </h2> <p>SAST remains one of the cornerstones of a mature <strong>SSDLC</strong>. It provides early, actionable insights into code security, reduces risk, empowers developers, and fortifies applications before deployment.<br> Implemented with care, <strong>SAST</strong> becomes more than just a detection tool; it becomes a catalyst for a long-term secure engineering culture.</p> <h2> Closing </h2> <p>This article covered the theoretical foundation of <strong>SAST</strong> and its strategic role within secure development. In ”<strong>Catch vulnerabilities before they ship: local SonarQube setup (Part 2)</strong>”, we will explore SonarQube Cloud configuration and IntelliJ IDEA integration, as well as running SonarQube locally with Docker.<br> If you're building secure systems at scale, <strong>SAST</strong> is where prevention truly begins.</p> <p>Originally published on my personal blog: <a href="https://matevosian.tech/blog/post/SAST-part1-theory" rel="noopener noreferrer">https://matevosian.tech/blog/post/SAST-part1-theory</a></p> sast cicd security devops